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Independent Orbiter Assessment 
Analysis of the DPS Subsystem 


1.0 EXECUTIVE SUMMARY 

The McDonnell Douglas Astronautics Company (MDAC) was selected in 
June 1986 to perform an Independent Orbiter Assessment (IOA) of 
the Failure Mode and Effects Analysis / Critical Items List 
(FMEA/CIL) . Direction was given by the STS Orbiter and GFE 
Projects Office to perform the hardware analysis using the 
instructions and ground rules defined in the Rockwell Desk 
Instructions 100-2G . The IOA approach features a top-down 
analysis of the hardware to independently determine failure 
modes, criticality, and potential critical items. This report 
documents the independent analysis results corresponding to the 
Orbiter Data Processing System (DPS) hardware. 

The DPS hardware is required for performing critical functions of 
data acquisition, data manipulation, data display, and data 
transfer throughout the Orbiter. Specifically, the DPS hardware 
consists of the following components: 

o Multiplexer/Demultiplexer (MDM) 
o General Purpose Computer (GPC) 
o Multifunction CRT Display System (MCDS) 
o Data Buses and Data Bus Couplers (DBC) 
o Data Bus Isolation Amplifiers (DBIA) 
o Mass Memory Unit (MMU) 
o Engine Interface Unit (EIU) 


The IOA analysis process utilized available DPS hardware drawings 
and schematics for defining hardware assemblies, components, and 
hardware items. Each level of hardware was evaluated and 
analyzed for possible failure modes and effects. Criticality was 
assigned based upon the severity of the effect for each failure 
mode. 

Figure 1 presents a summary of the failure criticalities for each 
of the seven major subdivisions of the DPS. A summary of the 
number of failure modes, by criticality, is also presented below 
with hardware criticality first and functional criticality 
second. 


Summary 

of Failure Modes By 

Criticality 

(HW/F) 

Criticality: 
Number : 

1 1/1 1 
1 1 
1 0 | 

2/lR| 

1 

2 I 

2/2 | 
1 

o 1 

3/lR| 3/2R | 

1 1 
56 | 22 | 

3/3 | TOTAL 
1 

5 | 85 
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DPS OVERVIEW ANALYSIS SUMMARY 



Figure 1 - DPS OVERVIEW ANALYSIS SUMMARY 
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CR1T - CRITICALITY 

FM - FAILURE MODE 

PCI - POTENTIAL CRITICAL ITEM 




For each failure mode identified, the criticality and redundancy 
screens were examined to identify critical items. A summary of 
potential critical items is presented as follows: 


— 

+* 

1 

Summary 

of 

Potential Critical Items 

(HW/F) 


1 

1 

Criticality: | 

| 

1/1 

| 2/lR| 2/2 | 

i l 

| 3/1R | 3/2R | 

1 1 1 

3/3 | TOTAL 


1 

1 

+■ 

Number : | 

0 

1 1 1 
1 2 | 0 | 

1 0 | 0 | 

0 | 2 


Due to the extensive redundancy built into the DPS the number of 
critical items are few. Those identified resulted from premature 
operation and erroneous output of the GPCs. 
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2 . 0 INTRODUCTION 


2 . 1 Purpose 

The 51-L Challenger accident prompted the NASA to readdress 
safety policies, concepts, and rationale being used in the 
National Space Transportation System (NSTS) . The Space 
Transportation System (STS) Systems Office has undertaken the 
task of reevaluating the FMEA/CIL for the Space Shuttle design. 
The MDAC is providing an independent assessment of the Orbiter 
FMEA/CIL reevaluation results for completeness and technical 
accuracy. 


2.2 Scope 

The scope of the independent FMEA/CIL assessment activity • - 

encompasses those Shuttle Orbiter subsystems and GFE hardware 
identified in the Space Shuttle Independent FMEA/CIL Assessment 
Contractor Statement of Work. Each subsystem analysis addresses 
hardware, functions, internal and external interfaces, and 
operational requirements for all mission phases. 


2.3 Analysis Approach 

The independent analysis approach is a top-down analysis 
utilizing as-built drawings to breakdown the respective subsystem 
into components and low-level hardware items. Each hardware item 
is evaluated for failure mode, effects, and criticality. These 
data are documented in the respective subsystem analysis report, 
and are used to assess the NASA and Prime Contractor FMEA/CIL 
reevaluation results. The IOA analysis approach is summarized in 
the following Steps 1.0 through 3.0. Step 4.0 summarizes the 
assessment of the NASA and Prime Contractor FMEAs/CILs that is 
performed and documented at a later date. 


Step 1.0 Subsystem Familiarization 

1.1 Define subsystem functions 

1.2 Define subsystem components 

1.3 Define subsystem specific ground rules and 
assumptions 

Step 2.0 Define subsystem analysis diagram 

2.1 Define subsystem 

2.2 Define major assemblies 

2.3 Develop detailed subsystem representations 

Step 3.0 Failure events definition 

3 . 1 Construct matrix of failure modes 

3.2 Document IOA analysis results 
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Step 4.0 Compare IOA analysis data to Rockwell/NASA FMEA/CIL 

4.1 Resolve differences 

4 . 2 Review in-house 

4 . 3 Document assessment issues 

4.4 Forward findings to Project Manager 


2 . 4 DPS Ground Rules and Assumptions 

The DPS ground rules and assumptions used in the IOA are defined 
in Appendix B. The subsystem specific ground rules were defined 
to limit the analysis to single-failed-parts for each failure 
mode. A subset of the failure mode keywords were identified for 
the DPS team. This allowed for commonality in the analysis 
results . 
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3.0 SUBSYSTEM DESCRIPTION 


3 . 1 Design and Function 

The DPS consists of that hardware required for data acquisition, 
data manipulation, data display, and data transfer on the 
Orbiter, and includes the five onboard computers and their 
interfaces. Reference Figure 2. More specifically, the DPS 
consists of the following components: 


1. Twelve MDM units which convert and format data at the 
remote locations. Each MDM has internal redundancy and 
consists of a Multiplexer Interface Adapter (MIA) , 
Sequential Control Unit (SCU) , Input/ Output Module, 

Analog To Digital Converter, and Power Supply. They 
convert and format serial digital GPC commands into 
parallel discrete, digital, and analog data for transfer 
to vehicle subsystem hardware. They also convert and 
format parallel discrete, digital, and analog data from 
vehicle subsystems into serial digital data for 
transmission to the GPCs. Reference Figure 3. 

2. Five GPCs each consisting of a Central Processing Unit 
(CPU) and Input/Output Processor (IOP) . The CPU 
functionally consists of an Arithmetic Logic Unit, Local 
Store, Master Bus Control Unit, Data Flow Multiplexer, 
Micro-code control' unit, CPU Timer, Interrupt Logic, Main 
Memory Timing Page, Timers, Address Bus Control, Main 
Memory, and Power Supply. The IOP contains Control 
Monitor, IOP Main Memory, Channel Control, Direct Memory 
Access Queue, Arithmetic Logic Units, Local Store, Micro- 
code store and Decode, MIAs, and Time-slice and 
Multiplexing. One of the functions of the GPCs is to 
support guidance, navigation, and control requirements of 
the vehicle. They provide for the monitoring and control 
of vehicle subsystems. They also check for data 
transmission errors and crew input error. Vehicle system 
failures and out-of-tolerance conditions are annunciated 
by the GPCs. Reference Figure 4 and Figure 5. 

3. The MCDS consisting of three Keyboard Units (KU) , four 
Display Units (DU) and four Display Electronics Units 
(DEU) . Each KU has a Key, Switch and Light. The DU 
consists of X/Y Deflection Amplifiers, Video Amplifiers, 
Cathode-Ray Tube, BITE and Power Supplies. The DEU has 
an Oscillator, Memory, Key-board Adapter, Symbol 
Generator, MIA, Control Logic, BITE, Load Switch, and 
Power Supplies. The subsystem provides for crew/vehicle 
interface via a keyboard and CRT display. The crew can 
interact with the subsystems with keyboard entries and 
executions. Reference Figure 6 and Figure 7. 
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4 . Thirty serial digital data buses are connected to the Bus 
Terminal Units (BTUs) via 227 DBCs. The DBCs are shown 
in Figure 8. 

5. Two DBIAs provide the amplification necessary to drive 
the stubs and provide isolation when the stubs are opened 
or shorted at the umbilicals. 

6. Two MMUs containing MIAs, Read Electronics, Write 
Electronics, Mass Memory Control Logic, Power Supply with 
Switch, Tape Transport Mechanism with a motor, tape and 
heads. The mass memory unit stores programs for loading 
into the GPCs and the MCDS. Reference Figure 9. 

7. Three EIUs which provide status and command capability of 
the main engines. The EIU contains an MIA, BITE, Status 
Buffer, Controller Interface Adapter, Operational 
Interface Element, Data Status and Power Supply. The EIU 
transfers main engine control commands from the GPC and 
main engine status for use by the GPC, the GSE launch 
processing system, and the operational instrumentation 
system. Reference Figure 10. 


The DPS interfaces with many onboard Orbiter systems including 
the Main Propulsion System, Solid Rocket Boosters, Reaction 
Control System (RCS) , Orbital Maneuvering System (OMS) , Air 
Surface Controls used for guidance and control, Nose-wheel 
Steering, and the Master Timing Units. 


3.2 Interfaces and Locations 

The DPS hardware is located throughout the Orbiter. The 
composite data bus network provides the hardware interfaces 
between the GPCs and all other avionics subsystems that 
communicate via a digital data format. Reference Figure 11. 

GPCs 1 and 4 are located in Avionics Bay 1 while GPCs 2 and 5 are 
located in Avionics Bay 2, to provide separation of redundancy. 
GPC 3 is located in Avionics Bay 3. Each GPC interfaces to all 
Flight Critical MDMs , however only one GPC normally communicates 
to only one FF and one FA MDM during ascent and entry dynamic 
flight. 


3 . 3 Hierarchy 

Figure 2 illustrates the hierarchy of the DPS hardware and the 
corresponding subcomponents. Figures 3 through 10 comprise the 
detailed system representations. 
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DATA PROCESSING SUBSYSTEM OVERVIEW 



Figure 2 - DPS SUBSYSTEM OVERVIEW 




8 


DPS Interface but not considered 
in DPS Analysis 




DPS MULTIPLEXER/DEMULTIPLEXER 



Figure 3 - DPS MULTIPLEXER/ DEMULTIPLEXER (MDM) 
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TAC - TACAN 




DPS GPC - CENTRAL PROCESSING UNIT 



Figure 4 - DPS GPC CENTRAL PROCESSING UNIT (CPU) 
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CPU TIMING 1 POWER SUPPLY 










DPS GPC - INPUT/OUTPUT PROCESSOR 



Figure 5 - DPS GPC INPUT/OUTPUT PROCESSOR (IOP) 
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DPS MCDS FUNCTIONAL BLOCK DIAGRAM 



Figure 6 - DPS MCDS FUNCTIONAL BLOCK DIAGRAM 
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DPS MCDS 
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DPS DATA BUS COUPLERS 
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Figure 8 - DPS DATA BUS COUPLERS (DBC) 
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DPS ENGINE INTERFACE UNIT 
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STATUS BUFFER- 1 











































4 . 0 ANALYSIS RESULTS 

Detail analysis results for each of the identified failure modes 
are presented in Appendix C. Table I presents a summary of the 
failure criticalities for each of the seven major subdivisions of 
the DPS. Further discussion of each of these subdivisions and 
the applicable failure modes is provided in subsequent 
paragraphs . 


+■ 

1 

TABLE I Summary 

of 

Possible 

Failure Modes 

and Criticalities 

-+ 

1 

1 

1 

j 

Criticality: 

1 

1 

1/1 

1 2/1R 
| 

1 

1 

2/2 

1 

j 

3/1R 1 

i 

3/2R 1 

3/3 | 

TOTAL 

1 

I 

1 

MDM 

! 

1 

— 

1 

1 

1 

— 

1 

1 

27 | 

9 [ 

- 

36 

l 

1 

1 

GPC 

1 

- 

1 2 

1 

- 

i 

9 1 

j 

2 I 

13 

1 

1 

MCDS 

I 

- 


1 

- 

1 

14 j 

- j 

1 I 

15 

1 

1 

DBC 

1 

- 

j - 

1 

- 

1 

1 | 

- [ 

- j 

1 

1 

1 

DBIA 

1 

- 

j - 

1 

- 

1 

- j 

1 i 

- j 

1 

1 

1 

MMU 

1 

- 

j - 

1 

- 

] 

- j 

12 j 

1 | 

13 

1 

1 

EIU 

1 

- 


1 

— 

1 

5 I 

— | 

1 | 

6 

1 

1 

+- 

TOTAL 

1 

0 

2 

I 

0 

1 

m mm m 

56 " j 

22 j 

5 1 

85 

1 

■+ 


Of the 85 failure modes analyzed, no single failures were 
determined to result in loss of crew or vehicle, and two were 
determined to result in loss of mission. A summary of the 
potential critical items is presented in Table II. Appendix D 
presents a cross reference between each potential critical item 
(PCI) and a specific worksheet in Appendix C. 


TABLE II Summary of 

Potential Critical 

Items 

+ 

j 

Criticality: 

1 1/1 
1 

2/1R | 2/2 | 3/1R 
l l l 

| 3/2R | 3/3 
1 1 

TOTAL | 

1 1 

GPC 

1 

1 l l 

12 | - | - 

1 1 

1 ~ I “ 

1 1 
1 2 | 
— ' + 
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4 . 1 Analysis Results MDM 

The MDM analysis considered nine failure modes for four groups of 
MDMs; namely FF, FA, PF, LF/LA as illustrated in Figure 3. Most 
of the criticalities were 3/1R. No PCIs were found. 


4.2 Analysis Results GPC 

The GPC analysis was subdivided into IOP and CPU failures. 
Generic black box failures were analyzed with causes stemming 
from failures of the subcomponents such as the MIA, as shown in 
Figure 4 and Figure 5. Two PCIs were identified and are listed 
in Appendix D. 


4.3 Analysis Results MCDS 

The MCDS consists of the KU, DU, and DEU. Functional failures of 
components were analyzed. These components are shown 
functionally in Figure 6 and Figure 7 . Nine failure modes were 
identified and fifteen worksheets were generated. No PCIs were 
identified. 


4.4 Analysis Results DBC 

Thirty serial digital data buses connect the GPC IOPs to the BTUs 
via 227 DBCs . The DBCs functional components are shown in 
Figure 8. Two failure modes were identified and one worksheet 
was generated. No PCIs were identified. 


4.5 Analysis Results DBIA 

The DBIAs consist of components required to provide isolation 
between the Orbiter Launch/Boost Data Buses and the SRBs and 
associated GSE for each. Four failure modes were identified and 
one worksheet was generated. No PCIs were identified. 


4.6 Analysis Results MMU 

The MMU analysis investigated failures in the individual 
components of power supply, read and write electronics, tape 
transport mechanism, MIA and control logic. These are shown 
functionally in Figure 9. The power switch and RPC were also 
investigated. Most of the failures were criticality 3/2R. No 
PCIs were identified. 


4.7 Analysis Results EIU 


The EIU provides commands to and status of the Main Engines. 

There were no failure modes analyzed that resulted in a PCI being 
defined. The EIU is shown functionally in Figure 10. 


20 


5 . 0 REFERENCES 


Reference documentation available from NASA and Rockwell was used 
in the analysis. The documentation used included the following: 

1. ICD 13M15000, Vehicle/Main Engine Interface Control 
Document, Rev. U, 6-18-85 

2. JSC-18819, DPS Console Handbook, 8-1-84 

3. JSC-19041, MPS System Briefs, 10-1-84 

4. JSC-18820, DPS System Briefs, 4-20-85 

5. VS7 0-971102 , Integrated System Schematic Rev. D, 9-28-85 

6. JSC-17239, Booster Console Handbook, 10-17-85 

7. JSC-12770, Shuttle Flight Operations Manual, Volume 5, 
Data Processing System, 3-24-84 

8. JSC 12820, STS Operational Flight Rules, Final PCN-3, 
6-28-85 

9. JSC 11174, Space Shuttle Systems Handbook, Rev. C, DCN-5, 
9-13-85 

10. 100-2G, Rockwell International Reliability Desk 
Instruction Flight Hardware FMEA and CIL, 1-31-84 

11. V72 Vol III, Operations and Maintenance Requirements and 
Specification Document - Orbiter OMRSD - DPS, 6-13-86 




APPENDIX A 
ACRONYMS 


A/D 

- 

Analog to Digital 

AID 

- 

Analog Input Differential 

AIS 

- 

Analog Input Single-ended 

ALU 

- 

Arithmetic Logic Unit 

AOA 

— 

Abort Once Around 

AOD 

- 

Analog Output Differential 

ATO 

- 

Abort To Orbit 

BFC 


Backup Flight Controller 

BFS 

- 

Backup Flight System 

BITE 

- 

Built-In Test Equipment 

BSS 

- 

Backup System Services 

BTU 

- 

Bus Terminal Unit 

CIL 

- 

Critical Items List 

CPU 

- 

Central Processing Unit 

CRIT 

- 

Criticality 

CRT 

- 

Cathode Ray Tube 

C&W 

- 

Caution and Warning System 

DBC 

- 

Data Bus Coupler 

DBIA 

- 

Data Bus Isolation Amplifier 

DDU 

- 

Display Driver Unit 

DEU 

- 

Display Electronics Unit 

DIH 

- 

Discrete Input High 

DIL 

- 

Discrete Input Low 

DMA 

- 

Direct Memory Access 

DOH 

- 

Discrete Output High 

DOL 

- 

Discrete Output Low 

DPS 

- 

Data Processing System 

DU 

- 

Display Unit 

EIU 

- 

Engine Interface Unit 

EVA 

- 

Extra Vehicular Activity 

FA 

- 

Flight Aft 

FCOS 

- 

Flight Control Operating System 

FF 

- 

Flight Forward 

FM 

- 

Failure Mode 

FMEA 

- 

Failure Mode and Effects Analysis 

GPC 

- 

General Purpose Computer 

GSE 

- 

Ground Support Equipment 

IMU 

- 

Inertial Measurement Unit 

IOA 

- 

Independent Orbiter Assessment 

IOM 

- 

Input/Output Module 

IOP 

- 

Input/Output Processor 

I PL 

- 

Initial Program Load 

KU 

- 

Keyboard Unit 

LF 

- 

Launch Forward 

LL 

- 

Launch Left 

LPS 

- 

Launch Processing System 

LR 

- 

Launch Right 

LRU 

- 

Line Replaceable Unit 

MC 

- 

Memory Configuration 

MCDS 

- 

Multifunction CRT Display System 

MCIU 

- 

Manipulator Controller Interface Unit 
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MDAC - McDonnell Douglas Astronautics Company 

MDM - Multiplexer/Demultiplexer 

MEC - Main Engine Controller 

MIA - Multiplexer Interface Adapter 

MM - Major Mode 

MMU - Mass Memory Unit 

MTU - Master Timing Unit 

NA - Not Applicable 

NASA - National Aeronautics and Space Administration 
NSTS - National Space Transportation System 
OA - Operational Aft 

OF - Operational Forward 

OMRSD - Operational Maintenance Requirements and Specifications 
Document 

OMS - Orbital Maneuvering System 
OPS - Operational Sequence 

PCI - Potential Critical Item 

PCM - Pulse Code Modulation 

PF - Payload Forward 

RCS - Reaction Control System 

RHC - Rotational Hand Controller 
RI - Rockwell International 

RM - Redundancy Management 

RMS - Remote Manipulator System 

RPC - Remote Power Controller 

RS - Redundant Set 

RTLS - Return To Landing Site 

SCU - Sequential Control Unit 

SIO - Serial Input / Output 

SM - Systems Management 

SRB - Solid Rocket Booster 

SSME - Space Shuttle Main Engine 

STS - Space Transportation System 

SW - Software 


TAC - Tacan 

TAL - Transatlantic Abort Landing 

TD - Touch Down 

THC - Translational Hand Controller 

VDC - Volts Direct Current 
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APPENDIX B 


DEFINITIONS, GROUND RULES, AND ASSUMPTIONS 


B.l Definitions 

B.2 Project Level Ground Rules and Assumptions 
B.3 Subsystem-Specific Ground Rules and Assumptions 
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APPENDIX B 

DEFINITIONS, GROUND RULES, AND ASSUMPTIONS 


B.l Definitions 

Definitions contained in Reliability Desk Instruction, 100-2G 
Rockwell International, 31 January 1984 , were used with the 
following amplifications and additions. 

ABORT DEFINITIONS : 

RTLS - begins at transition to OPS 6 and ends at transition to 
OPS 9, post-flight. 

TAL - begins at declaration of the abort and ends at transition 
to OPS 9, post-flight. 

AOA - begins at declaration of the abort and ends at transition 
to OPS 9, post-flight. 

ATQ - begins at declaration of the Abort To Orbit (ATO) and ends 
upon transition out of OPS 1. 

CREDIBLE (CAUSE) - an event that can be predicted or expected in 
anticipated operational environmental conditions. Excludes an 
event where multiple failures must first occur to result in 
environmental extremes . 

EFFECTS/RATIONALE - Description of the case which generated the 
highest criticality. 

HIGHEST CRITICALITY - The highest criticalities determined in the 
phase-by-phase analysis. 

MAJOR MODE (MM) - major sub-mode of software operational sequence 
(OPS) . 

MC - Memory Configuration of Primary Avionics Software System 
(PASS) . 

MISSION - assigned performance of a specific orbiter flight with 
payload/objective accomplishments such as launch window, orbit 
phasing, and altitude. 

MULTIPLE ORDER FAILURE - describes the failure due to a single 
cause or event of all units which perform a necessary (critical) 
function. 

NORMAL GROUND TURNAROUND - begins at end of post-landing safing 
operations and ends at beginning of prelaunch operations. 

OPS - software operational sequence. 
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PHASE DEFINTIONS : 


PRELAUNCH PHASE - begins at Orbiter launch count-down 
power— up and ends at moding to OPS Major Mode 102 (liftoff) . 

LIFTOFF MISSION PHASE - begins with SRB ignition (MM 102) and 
ends at transition out of OPS 1. (Synonymous with ASCENT). 

ONORBIT PHASE - begins at transition to OPS 2 or OPS 8 and 
ends upon transition out of OPS 2 or OPS 8. 

DEORBIT PHASE - begins at transition to OPS Major Mode 

301 and ends at first main landing gear touchdown at landing 

site. 

LANDING/SAFING PHASE - begins at first main gear 

touchdown at the landing site and ends with the completion of 

post-landing safing operations. 

READILY DETECTABLE - easily and obviously observable and 
comprehensable by flight and/or ground personnel. Readily 
detectable requires the capability of getting a crewmember to 
respond to a problem notification via real-time monitored 
displays, on-board alerts, visual indications, or ground 
notification. (Ground notification must not be considered unless 
sufficient time is available to perform corrective action to 
preclude the critical consequences of the failure, using worst- 
case telemetry and data.) 
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APPENDIX B 

DEFINITIONS, GROUND RULES, AND ASSUMPTIONS 


B.2 IOA Project Level Ground Rules and Assumptions 

The philosophy embodied in Reliability Desk Instruction, 100-2G 
Rockwell International, 31 January 1984, was employed with the 
following amplifications and additions. 


1. The operational flight software is an accurate 

implementation of the Flight System Software Requirements 
(FSSRs) . 

RATIONALE: Software verification is out-of-scope of 
this task. 


2. After Lift-Off, any parameter which is monitored by system 
management (SM) or which drives any part of the Caution and 
Warning System (C&W) will support passage of Redundancy 
Screen B for its corresponding hardware item. 

RATIONALE: Analysis of on-board parameter availibility 
and/or the actual monitoring by on-board 
personnel is beyond the scope of this task. 


3. Any data employed with flight software is assumed to be 
functional for the specific vehicle and specific mission 
being flown. 

RATIONALE: Mission data verification is out-of-scope of 
this task. 


4. All hardware (including firmware) is manufactured and 
assembled to the design specifications/drawings. 

RATIONALE: Acceptance and verification testing is 

designed to detect and identify problems 
before the item is approved for use. 


5. All Flight Data File crew procedures will be assumed 

performed as written, and will not include human error in 
their performance. 

RATIONALE: Failures caused by human operational error 
are out-of-scope of this task. 
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6 . 


All hardware analyses will, as a minimum, be performed at 
the level of analysis existent within NASA/prime contractor 
Orbiter FMEA/CILs, and will be permitted to go to greater 
hardware detail levels but not lesser. 

RATIONALE: Comparison of MDAC IOA analysis results with 
other analyses requires that both analyses 
be performed to a comparable level of detail. 


7. The presence of a failure detectability parameter in 

telemetry is sufficient justification for passing Redundancy 
Screen B. Verification that the parameter is actually 
monitored by ground based personnel is not required. 

RATIONALE: Analysis of mission-dependent telemetry 

availability and/or the actual monitoring of 
applicable data by ground-based personnel is 
beyond the scope of this task. 


8. For the purpose of passing Redundancy Screen A, the term 
’’normal ground turnaround" shall include the prelaunch 
mission phase. 

RATIONALE: Some items cannot be checked out until after 
propellant loading or main engine 
conditioning begins although the vehicle is 
still on the ground. This philosophy was 
adopted by the Level II PRCB. 


9. At a minimum, loss of mission is declared when a failure 
results in a launch delay beyond the pre-planned launch 
window. 

RATIONALE: Subsystem failures can occur near the 

nominal launch time. When these failures 
result in a launch delay, a loss of mission 
occurs even though the vehicle never enters 
into any in-flight mode. 


10. The determination of criticalities per phase is based on the 
worst case effect of a failure for the phase being analyzed. 
The failure can occur in the phase being analyzed or in 
any previous phase, whatever produces the worst case effects 
for the phase of interest. 

RATIONALE: Assigning phase criticalities ensures a 
thorough and complete analysis. 
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11. The "Next Related Failure" when used in determining hardware 
criticality 2 (one failure away from loss of crew/vehicle) 
is defined as the worst case failure of next redundant item. 
This definiton applies only to dual redundancy by definition. 


RATIONALE: The RI Desk Instruction Appendix B, 3. 1.1.1 
states the definiton of criticality 2. For 
the purpose of this analysis "Next related 
Failure" is clearly defined to ensure 
project consistancy. 
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APPENDIX B 

DEFINITIONS, GROUND RULES, AND ASSUMPTIONS 


B.3 DPS-Specific Ground Rules and Assumptions 

The IOA analysis was performed to the component or assembly level 
of the DPS subsystem. The analysis considered the worst case 
effects of the hardware or functional failure on the subsystem, 
mission, and crew and vehicle safety. 


1. Electronics were considered to have the following 
credible failure modes. 

a. Premature operation 

b. Erroneous/erratic output 

c . No output 

RATIONALE: These failure mode keywords were the 

most applicable for the DPS electronics 
hardware . 
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APPENDIX C 
DETAILED ANALYSIS 


This section contains the IOA analysis worksheets employed during 
the analysis of the DPS subsystem. The information on these 
worksheets is intentionally similar to the FMEA's written by 
Rockwell and the NASA. Each of these sheets identifies the item 
being analyzed, and parent assembly, as well as the function. For 
each failure mode, the possible causes are outlined, and the 
assessed hardware and functional criticality for each mission 
phase is listed, as described in the Rockwell Desk Instructions 
100-2G . Finally, effects are entered at the bottom of each 
sheet, and the worst case criticality is entered at the top. 


LEGEND FOR IOA ANALYSIS WORKSHEETS 


Hardware Criticalities : 

1 = Loss of life or vehicle 

2 * Loss of mission 

3 = Non loss of life or vehicle or mission 
Functional Criticalities : 

1R - Redundant identical hardware components or redundant 
functional paths all of which, if failed, could cause 
loss of life or vehicle. 

2R = Redundant identical hardware components or redundant 
functional paths all of which, if failed, could cause 
loss of mission. 

Redundancy Screen A : 

1 * Is Checked Out PreFlight 

2 = Is Capable of Check Out PreFlight 

3 * Not Capable of Check Out PreFlight 

4 = Do Not Know 


Redundancy Screens B and C : 
P = Passed Screen 
F = Failed Screen 
NA = Not Applicable 
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INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

100 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: MDM FF1 , FF2 , FF3 , FF4 

FAILURE MODE: LOSS OF OUTPUT TO GPC 


LEAD ANALYST: W. A. HAUFLER SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIPLEXER-DEMULTIPLEXERS (MDM) 

3) FLIGHT CRITICAL FORWARD MDM (FF1 

4) 

5) 

6) 

7) 

8 ) 

9) 


4) 


FLIGHT PHASE 
PRE LAUNCH: 
LIFTOFF: 
ONORBIT : 
DEORBIT: 
LANDING/SAFING 


CRITICALITIES 
HDW/FUNC ABORT 


3/2R 

3/1R 

3/2R 

3/1R 

3/1R 


RTLS : 
TAL: 
AOA: 
ATO: 


HDW/FUNC 

3/1R 

3/1R 

3/1R 

3/1R 


REDUNDANCY SCREENS: A[l] B[P] C[P] 

LOCATION: AV BAY 1,2, 3, 2 

PART NUMBER: MC615-0004-6110 , 5110 

CAUSES: VIBRATION, CORROSION, CONTAMINATION 


EFFECTS/RATIONALE : 

FCOS SETS COMMFAULT FLAG FOR THAT DATA. APPLICATION SW IGNORES 
THAT DATA. FCOS BYPASSES MDM AFTER 2ND CONSECUTIVE COMMFAULT, 
AND DISPLAYS FAULT MSG ON CRTS. PORT MODING MAY RECOVER MDM, 

BUT NOT ALLOWED DURING ASCENT UNTIL AFTER 2ND MDM FAILURE. IF 
ALL REDUNDANCY FAILS, LOSE USE OF IMU TORQUING, FORWARD RCS JETS, 
HAND CONTROLS (THC,RHC) , MOST SWITCHES AND INDICATORS. 


REFERENCES : 
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INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

101 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: MDM FF1 , FF2 , FF3 , FF4 

FAILURE MODE: LOSS OF OUTPUT TO LRU 


LEAD ANALYST: W. A. HAUFLER SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 


1 ) 

2 ) 

3) 

4) 

5) 

6) 

7) 

8 ) 
9) 


DPS 

MULTIPLEXER-DEMULTIPLEXERS (MDM) 
FLIGHT CRITICAL FORWARD MDM (FF1 


4) 


FLIGHT PHASE 
PRELAUNCH : 
LIFTOFF: 
ONORBIT : 
DEORBIT : 
LANDING/SAFING 


CRITICALITIES 
HDW/FUNC ABORT 


3/2R 

3/1R 

3/2R 

3/1R 

3/1R 


RTLS: 
TAL: 
AO A: 
ATO: 


HDW/FUNC 

3/1R 

3/1R 

3/1R 

3/1R 


REDUNDANCY SCREENS: A [ 1 ] 


B [ P ] C [ P ] 


LOCATION: AV BAY 1,2, 3, 2 

PART NUMBER: MC615-0004-6110 , 5110 


CAUSES: VIBRATION, CORROSION, CONTAMINATION 


EFFECTS/RATIONALE : 

FCOS DOES NOT DIRECTLY DETECT THIS ERROR VIA MDM RETURN WORD 
PROCESSING. FAULT TOLERANCE DEPENDS ON REDUNDANT STRINGS TO 
VOTING LRUS. DETECTION DEPENDS ON SEPARATE, REDUNDANT FEEDBACK 
SIGNALS. IF ALL REDUNDANCY FAILS, LOSE USE OF IMU TORQUING, 
FORWARD RCS JETS, HAND CONTROLS (THC,RHC) , MOST SWITCHES AND 
INDICATORS . 


REFERENCES : 
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INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

102 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: MDM FF1 , FF2 , FF3 , FF4 

FAILURE MODE: ERRONEOUS OUTPUT TO GPC 


LEAD ANALYST: W. A. HAUFLER SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIPLEXER-DEMULTIPLEXERS (MDM) 

3) FLIGHT CRITICAL FORWARD MDM (FF1..4) 

4) 

5) 

6) 

7) 

8 ) 

9) 


CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRE LAUNCH: 

3/2R 

RTLS: 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT : 

3/2R 

AO A: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

3/1R 

LANDING/S AFING: 3/1R 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 

LOCATION: AV BAY 

1,2, 3, 2 



PART NUMBER: MC6 15- 

0004-6110, 

5110 


CAUSES : VIBRATION , 

CORROSION, 

CONTAMINATION 



EFFECTS/RATIONALE : 

FCOS SETS COMMFAULT FLAG FOR THAT DATA. APPLICATION SW IGNORES 
THAT DATA. FCOS BYPASSES MDM AFTER 2ND CONSECUTIVE COMMFAULT, 

AND DISPLAYS FAULT MSG ON CRTS. PORT MODING MAY RECOVER MDM, BUT 
NOT ALLOWED DURING ASCENT UNTIL AFTER 2ND MDM FAILURE. IF ALL 
REDUNDANCY FAILS, LOSE USE OF IMU TORQUING, FORWARD RCS JETS, 

HAND CONTROLS (THC,RHC) , MOST SWITCHES AND INDICATORS. 

REFERENCES : 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

103 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: MDM FF1 , FF2 , FF3 , FF4 

FAILURE MODE: ERRONEOUS OUTPUT TO LRU 


LEAD ANALYST: W. A. HAUFLER SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIPLEXER-DEMULTIPLEXERS (MDM) 

3) FLIGHT CRITICAL FORWARD MDM (FF1..4) 

4) 

5) 

6 ) 

7) 

8 ) 

9) 


CRITICALITIES 


FLIGHT PHASE 
PRE LAUNCH: 
LIFTOFF: 
ONORBIT : 
DEORBIT: 


HDW/FUNC 

3/2R 

3/1R 

3/2R 

3/1R 


ABORT 

RTLS: 

TAL: 

AOA: 

ATO: 


HDW/FUNC 

3/1R 

3/1R 

3/1R 

3/1R 


LANDING/S AFING: 3/1R 


REDUNDANCY SCREENS: 


A [ 1 ] 


B [ P ] 


C [ P ] 


LOCATION: 
PART NUMBER: 


AV BAY 1,2, 3, 2 

MC6 15-0004 -6 110 ,5110 


CAUSES: VIBRATION, CORROSION, CONTAMINATION 


EFFECTS/RATIONALE: 

FCOS DOES NOT DIRECTLY DETECT THIS ERROR VIA MDM RETURN WORD 
PROCESSING. FAULT TOLERANCE DEPENDS ON REDUNDANT STRINGS TO 
VOTING LRUS . DETECTION DEPENDS ON SEPARATE , REDUNDANT FEEDBACK 
SIGNALS. IF ALL REDUNDANCY FAILS, LOSE USE OF IMU TORQUING, 
FORWARD RCS JETS, HAND CONTROLS (THC,RHC) , MOST SWITCHES AND 
INDICATORS . 


REFERENCES : 
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INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

104 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: MDM FF1 , FF2 , FF3 , FF4 

FAILURE MODE: PREMATURE OPERATION TO GPC 


LEAD ANALYST: W. A. HAUFLER SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2 ) MULTIPLEXER-DEMULTIPLEXERS (MDM) 

3) FLIGHT CRITICAL FORWARD MDM (FF1 . 

4) 

5) 

6) 

7) 

8 ) 

9) 


4) 


CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/2R 

RTLS : 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT: 

3/2R 

AOA: 

3/1R 

DEORBIT: 

LANDING/SAFING 

3/1R 
: 3/1R 

ATO: 

3/1R 

REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ) 

C [ P ] 


LOCATION: AV BAY 1,2, 3, 2 

PART NUMBER: MC615-0004-6110 , 5110 


CAUSES: VIBRATION, CORROSION, CONTAMINATION 

EFFECTS/RATIONALE : 

THIS FAILURE ON EITHER PORT CAN INTERFERE WITH FCOS RETURNING 
DATA FROM OTHER BTU(S) AND CAUSE HEALTHY BTU(S) TO BE BYPASSED. 
PORT MODING WILL NOT FIX A BLABBING MDM. POWER CYCLING MAY RESET 
ELECTRONICS, BUT CANNOT BE PERFORMED DURING ASCENT (POWER 
SWITCHES CANNOT BE REACHED) , AND WILL NOT ALWAYS STOP PREMATURE 
OPERATIONS. IF ALL REDUNDANCY FAILS, LOSE USE OF IMU TORQUING, 
FORWARD RCS JETS, HAND CONTROLS (THC,RHC) , MOST SWITCHES AND 
INDICATORS . 

REFERENCES : 
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INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

105 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM : MDM FF1 , FF2 , FF3 , FF4 

FAILURE MODE: PREMATURE OPERATION TO LRU 


LEAD ANALYST: W. A. HAUFLER SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIPLEXER-DEMULTIPLEXERS (MDM) 

3) FLIGHT CRITICAL FORWARD MDM (FF1 

4 ) 

5 ) 

6) 

7 ) 

8 ) 

9 ) 


4 ) 


FLIGHT PHASE 
PRE LAUNCH: 
LIFTOFF: 
ONORBIT: 
DEORBIT: 
LANDING/SAFING 


CRITICALITIES 
HDW/FUNC ABORT 


3/2R 

3/1R 

3/2R 

3/1R 

3/1R 


RTLS : 
TAL: 
AOA: 
ATO: 


HDW/FUNC 

3/1R 

3/1R 

3/1R 

3/1R 


REDUNDANCY SCREENS: A [ 1 ] B [ P ] 


C [ P ] 


LOCATION: AV BAY 1,2, 3, 2 

PART NUMBER: MC615-0004-6110 , 5110 


CAUSES: VIBRATION, CORROSION, CONTAMINATION 


EFFECTS/RATIONALE : 

FCOS DOES NOT DIRECTLY DETECT THIS ERROR VIA MDM RETURN WORD 
PROCESSING. FAULT TOLERANCE DEPENDS ON REDUNDANT STRINGS TO 
VOTING LRUS. DETECTION DEPENDS ON SEPARATE, REDUNDANT FEEDBACK 
SIGNALS. IF ALL REDUNDANCY FAILS, LOSE USE OF IMU TORQUING, 
FORWARD RCS JETS, HAND CONTROLS (THC,RHC) , MOST SWITCHES AND 
INDICATORS . 


REFERENCES : 


C-7 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

106 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: MDM FF1 , FF2 , FF3 , FF4 

FAILURE MODE: SELECTED ALL CHANNELS WRONG 


LEAD ANALYST: W. A. HAUFLER SUBSYS LEAD: B. ROBB 

BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIPLEXER-DEMULTIPLEXERS (MDM) 

3) FLIGHT CRITICAL FORWARD MDM (FF1..4) 

4) 

5) 

6) 

7) 

8 ) 

9) 

CRI TICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRE LAUNCH: 

3/2R 

RTLS: 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT: 

3/2R 

AOA: 

3/1R 

DEORBIT: 
LANDING/ SAFING 

3/1R 
: 3/1R 

ATO: 

3/1R 

REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: AV BAY 1,2, 3 ,2 

PART NUMBER: MC615-0004-6110 , 5110 


CAUSES: VIBRATION, CORROSION, CONTAMINATION 

EFFECTS/RATIONALE : 

THE GPC'S FCOS AND THE LRUS WOULD REJECT ALL DATA FROM THAT ..MDM 
EXCEPT ANY DATA THAT HAPPENED TO BE IN THE SAME FORMAT AS THE 
EXPECTED DATA. REDUNDANCY MGT. SOON DETECTS AND BYPASSES THAT 
MDM, AND THE EFFECTS OF WRONG DATA INPUT OR OUTPUT IS MINIMIZED. 
IF ALL REDUNDANCY FAILS, LOSE USE OF IMU TORQUING, FORWARD RCS 
JETS, HAND CONTROLS (THC,RHC) , MOST SWITCHES AND INDICATORS. 


REFERENCES : 
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INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

10/03/86 

HIGHEST CRITICALITY 

HDW/FUNC 

SUBSYSTEM: 

DPS 

FLIGHT : 

3/1R 

MDAC ID: 

107 

ABORT: 

3/1R 

ITEM: 

MDM FF1 , FF2 , FF3 , FF4 



FAILURE MODE 

: STUCK ON A CONSTANT 

OUTPUT TO LRU 


LEAD ANALYST 

: W. A. HAUFLER 

SUBSYS LEAD: B. ROBB 



BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIPLEXER-DEMULTIPLEXERS 

3) FLIGHT CRITICAL FORWARD MDM 

4) 

5) 

6 ) 

7) 

3) 

9) 


(MDM) 

(FF1 


4) 


CRITICALITIES 


FLIGHT PHASE HDW/FUNC ABORT 

PRELAUNCH: 3/2R RTLS : 

LIFTOFF: 3/1R TAL: 

ONORBIT: 3/2R AOA: 

DEORBIT: 3/1R ATO: 

LANDING/SAFING: 3/1R 


HDW/FUNC 

3/1R 

3/1R 

3/1R 

3/1R 


REDUNDANCY SCREENS: A [ 1 ] B [ P 


C [ P ] 


LOCATION: AV BAY 1,2, 3, 2 

PART NUMBER: MC615-0004-6110 , 5110 


CAUSES: VIBRATION, CORROSION, CONTAMINATION 


EFFECTS/RATIONALE : 

FCOS DOES NOT DIRECTLY DETECT THIS ERROR VIA MDM RETURN WORD 
PROCESSING. FAULT TOLERANCE DEPENDS ON REDUNDANT STRINGS TO 
VOTING LRUS. DETECTION DEPENDS ON SEPARATE, REDUNDANT FEEDBACK 
SIGNALS. IF ALL REDUNDANCY FAILS, LOSE USE OF IMU TORQUING, 
FORWARD RCS JETS, HAND CONTROLS (THC,RHC) , MOST SWITCHES AND 
INDICATORS . 


REFERENCES : 
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INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

108 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: MDM FF1 , FF2 , FF3 , FF4 

FAILURE MODE: FALSELY STUCK ON BUSY MODE 


LEAD ANALYST: W. A. HAUFLER SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIPLEXER-DEMULTIPLEXERS (MDM) 

3) FLIGHT CRITICAL FORWARD MDM (FF1..4) 

4) 

5) 

6 ) 

7) 

8 ) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRE LAUNCH: 

3/2R 

RTLS : 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT: 

3/2R 

AOA: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

3/1R 

LANDING/S AFING: 

3/1R 



REDUNDANCY SCREENS: 

A [ 1 ] B 

C P ] 

C [ P ] 

LOCATION: AV BAY 1 

,2,3,2 



PART NUMBER: MC615-0004-6110 , 5110 




CAUSES: VIBRATION, CORROSION, CONTAMINATION, SCU BUSY CROSS- 

STRAP STUCK HIGH 

EFFECTS/RATIONALE : 

FCOS SETS COMMFAULT FLAG FOR THAT DATA. APPLICATION SW IGNORES 
THAT DATA. FCOS BYPASSES MDM AFTER 2ND CONSECUTIVE COMMFAULT, 

AND DISPLAYS FAULT MSG ON CRTS. PORT MODING MAY RECOVER MDM, BUT 
NOT ALLOWED DURING ASCENT UNTIL AFTER 2ND MDM FAILURE. IF ALL 
REDUNDANCY FAILS, LOSE USE OF IMU TORQUING, FORWARD RCS JETS, 

HAND CONTROLS (THC,RHC) , MOST SWITCHES AND INDICATORS. 

REFERENCES : 
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INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

120 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: MDM FA1 , FA2 , FA3 , FA4 

FAILURE MODE: LOSS OF OUTPUT TO GPC 


LEAD ANALYST: W. A. HAUFLER SUBSYS LEAD: B. ROBB 

BREAKDOWN HIERARCHY: 


1) 

DPS 




2) 

MULTIPLEXER-DEMULTIPLEXERS 

(MDM) 


3) 

FLIGHT CRITICAL . 

AFT MDM 

(FA1. .4) 


4) 





5) 





6) 





7) 





8) 





9) 







CRITICALITIES 



FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 


PRELAUNCH: 

3/2R 

RTLS: 

3/1R 


LIFTOFF: 

3/1R 

TAL: 

3/1R 


ONORBIT: 

3/2R 

AOA: 

3/1R 


DEORBIT : 

3/1R 

ATO: 

3/1R 


LANDING/SAFING 

: 3/1R 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

c [ p ] 


LOCATION: AV BAY 4 ,5, 6, 6 

PART NUMBER: MC615-0004-6110 , 5110 

CAUSES: VIBRATION, CORROSION, CONTAMINATION 


EFFECTS/RATIONALE : 

FCOS SETS COMMFAULT FLAG FOR THAT DATA. APPLICATION SW IGNORES 
THAT DATA. FCOS BYPASSES MDM AFTER 2ND CONSECUTIVE COMMFAULT, 

AND DISPLAYS FAULT MSG ON CRTS. PORT MODING MAY RECOVER MDM, BUT 
NOT ALLOWED DURING ASCENT UNTIL AFTER 2ND MDM FAILURE. IF ALL 
REDUNDANCY FAILS, LOSE USE OF AFT RCS , BODY FLAP, AILERONS, 
RUDDER, SPEEDBRAKE, AND ABILITY TO PURGE SSMES AND TANKS. 


REFERENCES : 
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INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

121 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: 

FAILURE MODE: 


MDM FA1 , FA2 , FA 3 , FA4 _ 
LOSS OF OUTPUT TO LRU 


LEAD ANALYST: W. A. HAUFLER 


SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIPLEXER-DEMULTIPLEXERS (MDM) 

3) FLIGHT CRITICAL AFT MDM (FA1..4) 

4) 

5) 

6 ) 

7) 

8 ) 

9) 


CRITICALITIES 


FLIGHT PHASE 
PRELAUNCH: 
LIFTOFF: 
ONORBIT: 
DEORBIT: 


HDW/FUNC 

3/2R 

3/1R 

3/2R 

3/1R 


ABORT 
RTLS: 
TAL: 
AO A: 
ATO: 


LANDING/SAFING: 3/1R 


REDUNDANCY SCREENS: 


A [ 1 ] 


B [ P ] 


HDW/FUNC 
3/1R 
3/1R 
- 3/1R 
3/1R 


C [ P ] 


LOCATION: AV BAY 4, 5, 6, 6 

PART NUMBER: MC615-0004-6110 , 5110 


CAUSES: VIBRATION, CORROSION, CONTAMINATION 


EFFECTS/RATIONALE : 

FCOS DOES NOT DIRECTLY DETECT THIS ERROR VIA MDM RETURN WORD 
PROCESSING. FAULT TOLERANCE DEPENDS ON REDUNDANT STRINGS TO 
VOTING LRUS. DETECTION DEPENDS ON SEPARATE, REDUNDANT FEEDBACK 
SIGNALS. IF ALL REDUNDANCY FAILS, LOSE USE OF AFT RCS , BODY 
FLAP, AILERONS, RUDDER, SPEEDBRAKE, AND ABILITY TO PURGE SSMES 
AND TANKS. 

REFERENCES : 


C-12 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

122 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: MDM FA1 , FA2 , FA3 , FA4 

FAILURE MODE: ERRONEOUS OUTPUT TO GPC 


LEAD ANALYST: W. A. HAUFLER 


SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 


1) 

2 ) 

3) 

4) 

5) 

6 ) 
7) 
3 ) 
9 ) 


DPS 

MULTIPLEXER-DEMULTIPLEXERS 
FLIGHT CRITICAL AFT MDM 


(MDM) 

(FA1 


4) 


FLIGHT PHASE 
PRE LAUNCH: 
LIFTOFF: 
ONORBIT : 
DEORBIT : 
LANDING/SAFING 


CRITICALITIES 
HDW/FUNC ABORT 


3/2R 

3/1R 

3/2R 

3/1R 

3/1R 


RTLS: 
TAL: 
AO A: 
ATO: 


HDW/FUNC 

3/1R 

3/1R 

3/1R 

3/1R 


REDUNDANCY SCREENS: A [ 1 ] B [ P ] 


C [ P ] 


LOCATION: AV BAY 4, 5, 6, 6 

PART NUMBER: MC615-0004-6110 , 5110 


CAUSES: VIBRATION, CORROSION, CONTAMINATION 


EFFECTS/RATIONALE : 

FCOS SETS COMMFAULT FLAG FOR THAT DATA. APPLICATION SW IGNORES 
THAT DATA. FCOS BYPASSES MDM AFTER 2ND CONSECUTIVE COMMFAULT, 

AND DISPLAYS FAULT MSG ON CRTS. PORT MODING MAY RECOVER MDM, BUT 
NOT ALLOWED DURING ASCENT UNTIL AFTER 2ND MDM FAILURE. IF ALL 
REDUNDANCY FAILS, LOSE USE OF AFT RCS , BODY FLAP, AILERONS, 
RUDDER, SPEEDBRAKE, AND ABILITY TO PURGE SSMES AND TANKS. 


REFERENCES : 


C-13 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

123 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: MDM FA1 , FA2 , FA3 , FA4 

FAILURE MODE: ERRONEOUS OUTPUT TO LRU 


LEAD ANALYST: W. A. HAUFLER SUBSYS LEAD: B. ROBB 

BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIPLEXER-DEMULTIPLEXERS (MDM) 

3) FLIGHT CRITICAL AFT MDM (FA1..4) 

4) 

5) 

6 ) 

7) 

8 ) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH : 

3/2R 

RTLS : 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT : 

3/2R 

AO A: 

3/1R 

DEORBIT : 

3/1R 

ATO: 

3/1R 

LANDING/ SAFING 

: 3/1R 



REDUNDANCY SCREENS: 

A [ 1 ] B 

C P ] 

c [ p ] 

LOCATION: AV BAY 4,5, 6,6 

PART NUMBER: MC615-0004-6110 , 5110 




CAUSES: VIBRATION, CORROSION, CONTAMINATION 


EFFECTS/RATIONALE : 

FCOS DOES NOT DIRECTLY DETECT THIS ERROR VIA MDM RETURN WORD 
PROCESSING. FAULT TOLERANCE DEPENDS ON REDUNDANT STRINGS TO 
VOTING LRUS. DETECTION DEPENDS ON SEPARATE, REDUNDANT FEEDBACK 
SIGNALS. IF ALL REDUNDANCY FAILS , LOSE USE OF AFT RCS, BODY 
FLAP, AILERONS, RUDDER, SPEEDBRAKE, AND ABILITY TO PURGE SSMES 
AND TANKS. 


REFERENCES : 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

124 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: MDM FA1 , FA2 , FA3 , FA4 

FAILURE MODE: PREMATURE OPERATION TO GPC 


LEAD ANALYST: W. A. HAUFLER SUBSYS LEAD: B. ROBB 

BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIPLEXER-DEMULTIPLEXERS (MDM) 

3) FLIGHT CRITICAL AFT MDM (FA1..4) 

4 ) 

5 ) 

6 ) 

7 ) 

8 ) 

9 ) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/2R 

RTLS : 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT : 

-3/2R 

AO A: 

3/1R 

DEORBIT : 
LANDING/SAFING 

3/1R 
: 3/1R 

ATO: 

3/1R 

REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: AV BAY 4 ,5, 6, 6 

PART NUMBER: MC615-0004-6110 , 5110 


CAUSES: VIBRATION, CORROSION, CONTAMINATION 


EFFECTS/RATIONALE : 

THIS FAILURE ON EITHER PORT CAN INTERFERE WITH FCOS RETURNING 
DATA FROM OTHER BTU(S) AND CAUSE GOOD BTU(S) TO BE BYPASSED. 

PORT MODING WILL NOT FIX A BLABBING MDM. POWER CYCLING MAY RESET 
ELECTRONICS, BUT CANNOT BE PERFORMED DURING ASCENT (POWER 
SWITCHES CANNOT BE REACHED) , AND WILL NOT ALWAYS STOP PREMATURE 
OPERATIONS. IF ALL REDUNDANCY FAILS, LOSE USE OF AFT RCS , BODY 
FLAP, AILERONS, RUDDER, SPEEDBRAKE, AND ABILITY TO PURGE SSMES 
AND TANKS. 

REFERENCES : 


C-15 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE : " 
SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

125 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM : MDM FA1 , FA 2 , FA3 , FA4 

FAILURE MODE: PREMATURE OPERATION TO LRU 


LEAD ANALYST: W. A. HAUFLER SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIPLEXER-DEMULTIPLEXERS (MDM) 

3) FLIGHT CRITICAL AFT MDM (FA1 

4) 

5) 

6 ) 

7) 

8 ) 

9) 


4) 


FLIGHT PHASE 
PRELAUNCH: 
LIFTOFF : 
ONORBIT:- 
DEORBIT : 
LANDING/ SAFING: 


CRITICALITIES 
HDW/FUNC ABORT 


3/2R 

3/1R 

3/2R 

3/1R 

3/1R 


RTLS : 
TAL: 
AOA: 
ATO: 


HDW/FUNC 

3/1R 

3/1R 

3/1R 

3/1R 


REDUNDANCY SCREENS; A [ 1 ] B[P] C[P] 

LOCATION : AV BAY 4,5,6, 6 

PART NUMBER: MC615-0004-6110 , 5110 


CAUSES: VIBRATION, CORROSION, CONTAMINATION 


EFFECTS/RATIONALE : 

FCOS DOES NOT DIRECTLY DETECT THIS ERROR VIA MDM RETURN WORD 
PROCESSING. FAULT TOLERANCE DEPENDS ON REDUNDANT STRINGS TO 
VOTING LRUS. DETECTION DEPENDS ON SEPARATE, REDUNDANT FEEDBACK 
SIGNALS. IF ALL REDUNDANCY FAILS, LOSE USE OF AFT RCS , BODY 
FLAP, AILERONS, RUDDER, SPEEDBRAKE, AND ABILITY TO PURGE SSMES 
AND TANKS. 


REFERENCES : 


C-16 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 

DATE: 10/03/86 HIGHEST CRITICALITY HDW/FUNC 

SUBSYSTEM: DPS FLIGHT: 3/1R 

MDAC ID: 126 ABORT: 3/1R 

ITEM : MDM FA1 , FA2 , FA3 , FA4 

FAILURE MODE: SELECTED ALL CHANNELS WRONG 

LEAD ANALYST: W. A. HAUFLER SUBSYS LEAD: B. ROBB 

BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIPLEXER-DEMULTIPLEXERS (MDM) 

3) FLIGHT CRITICAL AFT MDM (FA1..4) 

4) 

5) 

6 ) 

7) 

8 ) 

9) 

CRITICALITIES 


- 

FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 


PRE LAUNCH: 

3/2R 

RTLS : 

3/1R 


LIFTOFF: 

3/1R 

TAL: 

3/1R 

— 

ONORBIT : 

3/2R 

AOA: 

3/1R 


DEORBIT: 

LANDING/SAFING 

3/1R 
: 3/1R 

ATO: 

3/1R 


REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

c [ p ] 


LOCATION: AV BAY 4, 5, 6, 6 

PART NUMBER: MC615-0004-6110 , 5110 


CAUSES: VIBRATION, CORROSION, CONTAMINATION 

EFFECTS/RATIONALE : 

THE GPC'S FCOS AND THE LRUS WOULD REJECT ALL DATA FROM THAT MDM 
EXCEPT ANY DATA THAT HAPPENED TO BE IN THE SAME FORMAT AS THE 
EXPECTED DATA. REDUNDANCY MGT . SOON DETECTS AND BYPASSES THAT 
MDM, AND THE EFFECTS OF WRONG DATA INPUT OR OUTPUT IS MINIMIZED. 
IF ALL REDUNDANCY FAILS, LOSE USE OF AFT RCS, BODY FLAP, 
AILERONS, RUDDER, SPEEDBRAKE, AND ABILITY TO PURGE SSMES AND 
TANKS. 

REFERENCES : 


C-17 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

127 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: MDM FA1 , FA2 , FA3 , FA4 

FAILURE MODE: STUCK ON A CONSTANT OUTPUT TO LRU 


LEAD ANALYST: W. A. HAUFLER SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIPLEXER-DEMULTIPLEXERS (MDM) 

3) FLIGHT CRITICAL AFT MDM (FA1..4) 

4) 

5) 

6 ) 

7) 

8 ) 

9 ) 


CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRE LAUNCH: 

3/2R 

RTLS : 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT: 

3/2R 

AOA: 

3/1R 

DEORBIT: 

LANDING/SAFING 

3/1R 
: 3/1R 

ATO: 

3/1R 

REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

c [ p ] 


LOCATION: AV BAY 4,5, 6, 6 

PART NUMBER: MC6 15 -00 04 -6 110 , 5110 

CAUSES: VIBRATION, CORROSION, CONTAMINATION 


EFFECTS/RATIONALE: _ 

FCOS DOES NOT DIRECTLY DETECT THIS ERROR VIA MDM RETURN WORD 
PROCESSING. FAULT TOLERANCE DEPENDS ON REDUNDANT STRINGS TO 
VOTING LRUS. DETECTION DEPENDS ON SEPARATE, REDUNDANT FEEDBACK 
SIGNALS. IF ALL REDUNDANCY FAILS, LOSE USE OF AFT RCS , BODY 
FLAP, AILERONS, RUDDER, SPEEDBRAKE, AND ABILITY TO PURGE SSMES 
AND TANKS. 


REFERENCES : 


C-18 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

10/03/86 

HIGHEST CRITICALITY 

HDW/FUNC 

SUBSYSTEM: 

DPS 

FLIGHT : 

3/1R 

MDAC ID: 

128 

ABORT : 

3/1R 

ITEM: 

MDM FA1 , FA2 , FA3 , : 

FA4 


FAILURE MODE 

: FALSELY STUCK ON 

BUSY MODE 


LEAD ANALYST 

: W. A. HAUFLER 

SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIPLEXER-DEMULTIPLEXERS 

(MDM) 


3) FLIGHT 

CRITICAL AFT MDM 

(FA1 . .4) 



4) 

5) 

6 ) 

7) 

8 ) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRE LAUNCH: 

3/2R 

RTLS : 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT: 

3/2R 

AOA: 

3/1R 

DEORBIT: 

LANDING/SAFING 

3/1R 
: 3/1R 

ATO: 

3/1R 

REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: AV BAY 4, 5, 6, 6 

PART NUMBER: MC615-0004-6110 , 5110 

CAUSES: VIBRATION, CORROSION, CONTAMINATION, SCU BUSY CROSS- 

STRAP STUCK HIGH 

EFFECTS/RATIONALE : 

FCOS SETS COMMFAULT FLAG FOR THAT DATA. APPLICATION SW IGNORES 
THAT DATA. FCOS BYPASSES MDM AFTER 2ND CONSECUTIVE COMMFAULT, 

AND DISPLAYS FAULT MSG ON CRTS. PORT MODING MAY RECOVER MDM, BUT 
NOT ALLOWED DURING ASCENT UNTIL AFTER 2ND MDM FAILURE. IF ALL 
REDUNDANCY FAILS, LOSE USE OF AFT RCS, BODY FLAP, AILERONS, 
RUDDER, SPEEDBRAKE, AND ABILITY TO PURGE SSMES AND TANKS. 

REFERENCES : 


C-19 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 10/03/86 I 

SUBSYSTEM: DPS 

MDAC ID: 140 

ITEM: MDM PF1,PF2 

FAILURE MODE: LOSS OF OUTPUT TO GPC 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/3 


LEAD ANALYST: W. A. HAUFLER 


SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIPLEXER-DEMULTIPLEXERS (MDM) 

3) PAYLOAD FORWARD MDM (PF1..2) 


FLIGHT PHASE 


CRITICALITIES 
HDW/FUNC ABORT 


HDW/FUNC 


PRELAUNCH : 

3/2R 

RTLS : 

3/3 


LIFTOFF: 

3/3 

TAL: 

3/3 


ONORBIT: 

3/1R 

AOA: 

3/3 

s 

DEORBIT: 

3/3 

ATO: 

3/3 


LANDING/SAFING: 

3/3 

- 

• - - 

— ~ 

REDUNDANCY SCREENS : A 

[ 1 ] 

B [ P ] 

c [ P ] 

■ 

LOCATION: AV BAY 1,2 





PART NUMBER: MC615-0004 

-6710, 

5710 


“ 

CAUSES: VIBRATION, CORROSION, 

CONTAMINATION 






| 

l 


EFFECTS/RATIONALE : 

FCOS/BSS SETS COMMFAULT FLAG FOR THAT DATA. APPLICATION SW 
IGNORES THAT DATA. SYSTEM SOFTWARE BYPASSES MDM AFTER 2ND 
CONSECUTIVE COMMFAULT, AND DISPLAYS FAULT MSG ON CRTS. PORT 
MODING MAY NOT RECOVER MDM. IF ALL REDUNDANCY FAILS, LOSE 
ABILITY TO RELEASE, OPEN, CLOSE, AND LATCH PAYLOAD BAY DOORS, AND 
ABILITY' TO CRADLE AND LATCH RMS ARM WITHOUT AN EVA. 


REFERENCES : 


C-20 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

141 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/3 


ITEM: 

FAILURE MODE: 


MDM PF1 , PF2 

LOSS OF OUTPUT TO LRU 


LEAD ANALYST: W. A. HAUFLER 


SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIPLEXER-DEMULTIPLEXERS (MDM) 

3) PAYLOAD FORWARD MDM (PF1..2) 

4 ) 

5 ) 

6 ) 

7 ) 

8 ) 

9 ) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/2R 

RTLS: 

3/3 

LIFTOFF: 

3/3 

TAL: 

3/3 

ONORBIT : 

3/1R 

AO A: 

3/3 

DEORBIT : 
LANDING/SAFING 

3/3 
: 3/3 

ATO: 

3/3 

REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: 
PART NUMBER: 


AV BAY 1,2 

MC6 15-00 04 -67 10 ,5710 


CAUSES: VIBRATION, CORROSION, CONTAMINATION 


EFFECTS/RATIONALE: 

FCOS/BSS DOES NOT DIRECTLY DETECT THIS ERROR VIA MDM RETURN WORD 
PROCESSING. FAULT TOLERANCE DEPENDS ON REDUNDANT PF MDMS . 
DETECTION DEPENDS ON SEPARATE, REDUNDANT FEEDBACK SIGNALS. IF 
ALL REDUNDANCY FAILS, LOSE ABILITY TO RELEASE, OPEN, CLOSE, AND 
LATCH PAYLOAD BAY DOORS, AND ABILITY TO CRADLE AND LATCH RMS ARM 
WITHOUT AN EVA. 


REFERENCES : 


C-21 



DATE: 

SUBSYSTEM: 
MDAC ID: 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


10/03/86 

DPS 

142 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/3 


ITEM: MDM PF1,PF2 

FAILURE MODE: ERRONEOUS OUTPUT TO GPC 


LEAD ANALYST: W. A. HAUFLER 


SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIPLEXER-DEMULTIPLEXERS (MDM) 

3) PAYLOAD FORWARD MDM (PF1..2) 

4) 

5) 

6 ) 

7) 

8 ) 

9) 


CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRE LAUNCH: 

3/2R 

RTLS : 

3/3 

LIFTOFF: 

3/3 

TAL: 

3/3 

ONORBIT: 

3/1R 

AOA: 

3/3 

DEORBIT: 

LANDING/SAFING 

3/3 
: 3/3 

ATO: 

3/3 

REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: AV BAY 1,2 

PART NUMBER: MC615-0004-6710 , 5710 

CAUSES: VIBRATION, CORROSION, CONTAMINATION 


EFFECTS /RATIONALE : 

FCOS/BSS SETS COMMFAULT FLAG FOR THAT DATA. APPLICATION SW 
IGNORES THAT DATA. SYSTEM SOFTWARE BYPASSES MDM AFTER 2ND 
CONSECUTIVE COMMFAULT, AND DISPLAYS FAULT MSG ON CRTS. PORT 
MODING MAY NOT RECOVER MDM. IF ALL REDUNDANCY FAILS, LOSE 
ABILITY TO RELEASE, OPEN, CLOSE, AND LATCH PAYLOAD BAY DOORS, AND 
ABILITY TO CRADLE AND LATCH RMS ARM WITHOUT AN EVA. 


REFERENCES : 


C-22 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

143 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/3 


ITEM: MDM PF1,PF2 

FAILURE MODE: ERRONEOUS OUTPUT TO LRU 


LEAD ANALYST: W. A. HAUFLER 


SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIPLEXER-DEMULTIPLEXERS 

3) PAYLOAD FORWARD MDM 

4) 

5) 

6 ) 

7) 

8 ) 

9) 


(MDM) 

(PF1. 


2) 


CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRE LAUNCH: 

3/2R 

RTLS: 

3/3 

LIFTOFF: 

3/3 

TAL: 

3/3 

ONORBIT : 

3/1R 

AOA: 

3/3 

DEORBIT : 
LANDING/SAFING: 

3/3 

3/3 

ATO: 

3/3 

REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: AV BAY 1,2 

PART NUMBER: MC615-0004-6710 , 5710 

CAUSES: VIBRATION, CORROSION, CONTAMINATION 


EFFECTS/RATIONALE : 

FCOS/BSS DOES NOT DIRECTLY DETECT THIS ERROR VIA MDM RETURN WORD 
PROCESSING. FAULT TOLERANCE DEPENDS ON REDUNDANT PF MDMS . 
DETECTION DEPENDS ON SEPARATE, REDUNDANT FEEDBACK SIGNALS. IF 
ALL REDUNDANCY FAILS, LOSE ABILITY TO RELEASE, OPEN, CLOSE, AND 
LATCH PAYLOAD BAY DOORS, AND ABILITY TO CRADLE AND LATCH RMS ARM 
WITHOUT AN EVA. 


REFERENCES : 


C-23 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

144 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/3 


ITEM: MDM PF1 , PF2 

FAILURE MODE: PREMATURE OPERATION TO GPC 


LEAD ANALYST: W. A. HAUFLER SUBSYS LEAD: B. ROBB 

BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIPLEXER-DEMULTIPLEXERS (MDM) 

3) PAYLOAD FORWARD MDM (PF1..2) 

4) 

5) 

6 ) 

7) 

8 ) 

9 ) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/2R 

RTLS: 

3/3 

LIFTOFF: 

3/3 

TAL: 

3/3 

ONORBIT: 

3/1R 

AOA: 

3/3 

DEORBIT : 
LANDING/SAFING 

3/3 
: 3/3 

ATO: 

3/3 

REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

c [ P ] 


LOCATION: AV BAY 1,2 

PART NUMBER: MC615-0004-6710 , 5710 _ 


CAUSES: VIBRATION, CORROSION, CONTAMINATION 


EFFECTS /RATIONALE : 

THIS FAILURE ON EITHER PORT CAN INTERFERE WITH FCOS/BSS RETURNING 
DATA FROM OTHER PF MDM AND CAUSE GOOD MDM TO BE BYPASSED. PORT 
MODING WILL NOT FIX A BLABBING MDM. POWER CYCLING MAY RESET 
ELECTRONICS, BUT WILL NOT ALW AYS STOP PREMATURE OPERATIONS . IF 
ALL REDUNDANCY FAILS, LOSE ABILITY TO RELEASE, OPEN, CLOSE, AND 
LATCH PAYLOAD BAY DOORS, AND ABILITY TO CRADLE AND LATCH RMS ARM 
WITHOUT AN EVA. 


REFERENCES : 


C-24 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

145 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/3 


ITEM: MDM PF1 , PF2 

FAILURE MODE: PREMATURE OPERATION TO LRU 


LEAD ANALYST: W. A. HAUFLER SUBSYS LEAD: B. ROBB 

BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIPLEXER-DEMULTIPLEXERS (MDM) 

3) PAYLOAD FORWARD MDM (PF1..2) 

4) 

5) 

6 ) 

7) 

8 ) 

9 ) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRE LAUNCH: 

3/2R 

RTLS : 

3/3 

LIFTOFF: 

3/3 

TAL: 

3/3 

ONORBIT : 

3/1R 

AO A: 

3/3 

DEORBIT : 
LANDING/SAFING 

3/3 
: 3/3 

ATO: 

3/3 

REDUNDANCY SCREENS: 

i — i 

r — 1 

i i 

< 

B [ P ] 

C [ P ] 


LOCATION: AV BAY 1,2 

PART NUMBER: MC615-0004-6710 , 5710 

CAUSES: VIBRATION, CORROSION, CONTAMINATION 


EFFECTS/RATIONALE : 

FCOS/BSS DOES NOT DIRECTLY DETECT THIS ERROR VIA MDM RETURN WORD 
PROCESSING. FAULT TOLERANCE DEPENDS ON REDUNDANT PF MDMS . 
DETECTION DEPENDS ON SEPARATE, REDUNDANT FEEDBACK SIGNALS. IF 
ALL REDUNDANCY FAILS, LOSE ABILITY TO RELEASE, OPEN, CLOSE, AND 
LATCH PAYLOAD BAY DOORS, AND ABILITY TO CRADLE AND LATCH RMS ARM 
WITHOUT AN EVA. 


REFERENCES : 


C-25 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

146 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/3 


ITEM: MDM PF1,PF2 

FAILURE MODE: SELECTED ALL CHANNELS WRONG 


LEAD ANALYST: W. A. HAUFLER SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIPLEXER-DEMULTIPLEXERS (MDM) 

3) PAYLOAD FORWARD MDM (PF1..2) 

4) 

5) 

6) 

7) 

8 ) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/2R 

RTLS : 

3/3 

LIFTOFF: 

3/3 

TAL: 

3/3 

ONORBIT : 

3/1R 

AOA: 

3/3 

DEORBIT: 

LANDING/SAFING 

3/3 
: 3/3 

ATO: 

3/3 

REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: AV BAY 1,2 

PART NUMBER: MC615-0004-6710 , 5710 

CAUSES: VIBRATION, CORROSION, CONTAMINATION 


EFFECTS/RATIONALE : 

THE GPC’S FCOS AND THE LRUS WOULD REJECT ALL DATA FROM THAT MDM 
EXCEPT ANY DATA THAT HAPPENED TO BE IN THE SAME FORMAT AS THE 
EXPECTED DATA. REDUNDANCY MGT . SOON DETECTS AND BYPASSES THAT 
MDM, AND THE EFFECTS OF WRONG DATA INPUT OR OUTPUT IS MINIMIZED. 
IF ALL REDUNDANCY FAILS, LOSE ABILITY TO RELEASE, OPEN, CLOSE, 
AND LATCH PAYLOAD BAY DOORS, AND ABILITY TO CRADLE AND LATCH RMS 
ARM WITHOUT AN EVA. 


REFERENCES : 


C-26 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 

DATE: 10/03/86 HIGHEST CRITICALITY HDW/FUNC 

SUBSYSTEM: DPS FLIGHT: 3/1R 

MDAC ID: 147 ABORT: 3/3 

ITEM: MDM PF1 , PF2 

FAILURE MODE: STUCK ON A CONSTANT OUTPUT TO LRU 

LEAD ANALYST: W. A. HAUFLER SUBSYS LEAD: B. ROBB 

BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIPLEXER-DEMULTIPLEXERS (MDM) 

3) PAYLOAD FORWARD MDM (PF1..2) 

4) 

5) 

6 ) 

7) 

8) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/2R 

RTLS: 

3/3 

LIFTOFF: 

3/3 

TAL: 

3/3 

ONORBIT: 

3/1R 

AOA: 

3/3 

DEORBIT : 
LANDING/SAFING 

3/3 
: 3/3 

ATO: 

3/3 

REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: AV BAY 1,2 

PART NUMBER: MC615-0004-6710 , 5710 

CAUSES: VIBRATION, CORROSION, CONTAMINATION 

EFFECTS/RATIONALE : 

FCOS/BSS DOES NOT DIRECTLY DETECT THIS ERROR VIA MDM RETURN WORD 
PROCESSING. FAULT TOLERANCE DEPENDS ON REDUNDANT PF MDMS . 
DETECTION DEPENDS ON SEPARATE, REDUNDANT FEEDBACK SIGNALS. IF 
ALL REDUNDANCY FAILS, LOSE ABILITY TO RELEASE, OPEN, CLOSE, AND 
LATCH PAYLOAD BAY DOORS, AND ABILITY TO CRADLE AND LATCH RMS ARM 
WITHOUT AN EVA. 

REFERENCES : 


C-27 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE; 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

148 


HIGHEST CRITICALITY HDW/FUNC 


FLIGHT; 

ABORT: 


3/1R 

3/3 


ITEM: 

FAILURE MODE: 


MDM PF1, PF2 

FALSELY STUCK ON BUSY MODE 


LEAD ANALYST: W. A. HAUFLER 


SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIPLEXER-DEMULTIPLEXERS (MDM) 

3) PAYLOAD FORWARD MDM (PF1..2) 

4) 

5) 

6 ) 

7) 

8 ) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 


PRELAUNCH: 

3/2R 

RTLS: 

3/3 


LIFTOFF: 

3/3 

TAL: 

3/3 

mm 

ONORBIT: 

3/1R 

AOA: 

3/3 


DEORBIT: 

3/3 

ATO: 

3/3 


LANDING/SAFING 

: 3/3 



111 

REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 



LOCATION: 
PART NUMBER: 


AV BAY 1,2 

MC6 15-0 004 -67 10 ,5710 


CAUSES: VIBRATION, CORROSION, CONTAMINATION, SCU BUSY CROSS- 

STRAP STUCK HIGH 

EFFECTS/RATIONALE : 

FCOS/BSS SETS COMMFAULT FLAG FOR THAT DATA. APPLICATION SW 
IGNORES THAT DATA. SYSTEM SOFTWARE BYPASSES MDM AFTER 2ND 
CONSECUTIVE COMMFAULT, AND DISPLAYS FAULT MSG ON CRTS. PORT 
MODING MAY NOT RECOVER MDM. IF ALL REDUNDANCY FAILS, LOSE 
ABILITY TO RELEASE, OPEN, CLOSE, AND LATCH PAYLOAD BAY DOORS, AND 
ABILITY TO CRADLE AND LATCH RMS ARM WITHOUT AN EVA. 


REFERENCES : 


C-28 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

10/03/86 

HIGHEST CRITICALITY 

HDW/FUNC 

SUBSYSTEM: 

DPS 

FLIGHT: 

3/2R 

MDAC ID: 

180 

ABORT: 

/NA 

ITEM: 

MDM LF1 , LAI 



FAILURE MODE 

: LOSS OF OUTPUT TO 

GPC 


LEAD ANALYST 

: W. A. HAUFLER 

SUBSYS LEAD: B. ROBB 



BREAKDOWN HIERARCHY: 



1) 

DPS 






2) 

MULTIPLEXER-DEMULTIPLEXERS 

(MDM) 





3) 

PRELAUNCH FORWARD & AFT MDM 

(LF, 

LA) 



— 

4) 







5) 







6) 







7) 







8) 






- ' 

9) 






— 


CRITICALITIES 





FLIGHT PHASE HDW/FUNC 


ABORT 

HDW/FUNC 



PRELAUNCH: 3/2R 



RTLS : 

/NA 



LIFTOFF: /NA 



TAL: 

/NA 



ONORBIT: /NA 



AOA: 

/NA 

— = 


DEORBIT: /NA 



ATO: 

/NA 

mm 


LANDING/SAFING: 3/2R 






REDUNDANCY SCREENS: A [ 1 ] 

B 

[ P 

] 

C [ P ] 


LOCATION: AV BAY 1,6 

PART NUMBER: MC615-0004-6610 , 5600 


CAUSES: VIBRATION, CORROSION, CONTAMINATION 

EFFECTS/RATIONALE : 

FCOS SETS COMMFAULT FLAG FOR THAT DATA. APPLICATION SW IGNORES 
THAT DATA. FCOS BYPASSES MDM AFTER 2ND CONSECUTIVE COMMFAULT, 

AND DISPLAYS FAULT MSG ON CRTS. PORT MODING MAY RECOVER MDM. IF 
ALL REDUNDANCY FAILS, LOSE ABILITY OF GSE TO MONITOR AND CONTROL 
SYSTEMS WHILE ATTACHED. 

REFERENCES : 


C-29 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

181 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/2R 

ABORT : /NA 


ITEM: MDM LF1 , LAI 

FAILURE MODE: LOSS OF OUTPUT TO LRU 


LEAD ANALYST: W. A. HAUFLER SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIPLEXER- DEMULTIPLEXERS (MDM) 

3) PRELAUNCH FORWARD & AFT MDM (LF , LA) 

4) 

5) 

6 ) 

7) 

8 ) 

9) 


FLIGHT PHASE 
PRELAUNCH: 
LIFTOFF: 
ONORBIT : 
DEORBIT : 
LANDING/ SAFING 


CRITICALITIES 
HDW/FUNC ABORT 


3/2R 

/NA 

/NA 

/NA 

3/2R 


RTLS : 
TAL: 
AOA: 
ATO: 


HDW/FUNC 

/NA 

/NA 

/NA 

/NA 


REDUNDANCY SCREENS: A [ 1 ] B [ P ] C [ P ] 

LOCATION: AV BAY 1,6 

PART NUMBER: MC615-0004-6610 , 5600 


CAUSES: VIBRATION, CORROSION, CONTAMINATION 


EFFECTS/RATIONALE : 

FCOS DOES NOT DIRECTLY DETECT . THIS ERROR V IA MDM RETURN WORD .. . . 

PROCESSING. FAULT TOLERANCE DEPENDS ON REDUNDANT STRINGS TO 
VOTING LRUS. DETECTION DEPENDS ON SEPARATE, REDUND ANT FEEDBACK 
SIGNALS. IF ALL REDUNDANCY FAILS, LOSE ABILITY OF GSE TO MONITOR 
AND CONTROL SYSTEMS WHILE ATTACHED. 


REFERENCES : 


C-3 0 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

10/03/86 

HIGHEST CRITICALITY 

HDW/FUNC 

SUBSYSTEM: 

DPS 

FLIGHT: 

3/2R 

MDAC ID: 

182 

ABORT : 

/NA 

ITEM: 

MDM LF1, LAI 



FAILURE MODE 

: ERRONEOUS OUTPUT 

TO GPC 


LEAD ANALYST 

: W. A. HAUFLER 

SUBSYS LEAD: B. ROBB 



BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIPLEXER-DEMULTIPLEXERS (MDM) 

3) PRELAUNCH FORWARD & AFT MDM (LF,LA) 

4) 

5) 

6 ) 

7) 

8 ) 

9 ) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FU1 

PRELAUNCH: 

3/2R 

RTLS: 

/NA 

LIFTOFF: 

/NA 

TAL: 

/NA 

ONORBIT: 

/NA 

AOA: 

/NA 

DEORBIT: 

LANDING/SAFING: 

/NA 

3/2R 

ATO: 

/NA 

REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: AV BAY 1,6 

PART NUMBER: MC615-0004-6610 , 5600 


CAUSES: VIBRATION, CORROSION, CONTAMINATION 

EFFECTS/RATIONALE : 

FCOS SETS COMMFAULT FLAG FOR THAT DATA. APPLICATION SW IGNORES 
THAT DATA. FCOS BYPASSES MDM AFTER 2ND CONSECUTIVE COMMFAULT, 

AND DISPLAYS FAULT MSG ON CRTS. PORT MODING MAY RECOVER MDM, BUT 
NOT ALLOWED DURING ASCENT UNTIL AFTER 2ND MDM FAILURE. IF ALL 
REDUNDANCY FAILS, LOSE ABILITY OF GSE TO MONITOR AND CONTROL 
SYSTEMS WHILE ATTACHED. 

REFERENCES : 


C-31 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

10/03/86 

HIGHEST CRITICALITY 

HDW/FUNC 

SUBSYSTEM: 

DPS 

FLIGHT: 

3/2R 

MDAC ID: 

183 

ABORT: 

/NA 

ITEM: 

MDM LF1, LAI 



FAILURE MODE 

: ERRONEOUS OUTPUT 

TO LRU 


LEAD ANALYST 

: W. A. HAUFLER 

SUBSYS LEAD: B. ROBB 



BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIPLEXER-DEMULTIPLEXERS (MDM) 

3) PRE LAUNCH FORWARD & AFT MDM (LF, LA) 

4 ) 

5 ) 

6 ) 

7 ) 

8 ) 

9 ) 


CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/2R 

RTLS: 

/NA 

LIFTOFF: 

/NA 

TAL: 

/NA 

ONORBIT : 

/NA 

AOA: 

/NA 

DEORBIT: 

/NA 

ATO: 

/NA 

LANDING/ SAFING: 

3/2R 




I 

i 




REDUNDANCY SCREENS: A [ 1 ] B[P] C[P] 

LOCATION : AV BAY 1,6 

PART NUMBER: MC615-0004-6610 , 5600 


CAUSES: VIBRATION, CORROSION, CONTAMINATION 


EFFECTS/RATIONALE: _• 

FCOS DOES NOT DIRECTLY DETECT THIS ERROR VIA MDM RETURN WORD , 
PROCESSING. FAULT TOLERANCE DEPENDS ON REDUNDANT STRINGS TO 
VOTING LRUS. DETECTION DEPENDS ON SEPARATE, REDUNDANT FEEDBACK 
SIGNALS. IF ALL REDUNDANCY FAILS, LOSE ABILITY OF GSE TO MONITOR 
AND CONTROL SYSTEMS WHILE ATTACHED. 

REFERENCES : 


C-3 2 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

184 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/2R 

ABORT : /NA 


ITEM: MDM LF1 , LAI 

FAILURE MODE: PREMATURE OPERATION TO GPC 


LEAD ANALYST: W. A. HAUFLER SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIPLEXER-DEMULTIPLEXERS (MDM) 

3) PRELAUNCH FORWARD & AFT MDM (LF, LA) 

4) 

5) 

6 ) 

7) 

8 ) 

9) 


FLIGHT PHASE 
PRE LAUNCH: 
LIFTOFF: 
ONORBIT : 
DEORBIT : 
LANDING/ SAFING 


CRITICALITIES 
HDW/FUNC ABORT 


3/2R 

/NA 

/NA 

/NA 

3/2R 


RTLS : 
TAL: 
AOA: 
ATO: 


HDW/FUNC 

/NA 

/NA 

/NA 

/NA 


REDUNDANCY SCREENS: A [ 1 ] B ( P ] 


C [ P ] 


LOCATION: AV BAY 1,6 

PART NUMBER: MC615-0004-6610 , 5600 

CAUSES: VIBRATION, CORROSION, CONTAMINATION 


EFFECTS/RATIONALE : 

THIS FAILURE ON EITHER PORT CAN INTERFERE WITH FCOS RETURNING 
DATA FROM OTHER BTU(S) AND CAUSE GOOD BTU(S) TO BE BYPASSED. 

PORT MODING WILL NOT FIX A BLABBING MDM. POWER CYCLING MAY RESET 
ELECTRONICS, BUT WILL NOT ALWAYS STOP PREMATURE OPERATIONS. IF 
ALL REDUNDANCY FAILS, LOSE ABILITY OF GSE TO MONITOR AND CONTROL 
SYSTEMS WHILE ATTACHED. 


REFERENCES : 


C-33 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

185 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/2R 

ABORT: /NA 


ITEM: MDM LF1 , LAI 

FAILURE MODE: PREMATURE OPERATION TO LRU 


LEAD ANALYST: W. A. HAUFLER SUBSYS LEAD: B. ROBB 

BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIPLEXER-DEMULTIPLEXERS (MDM) 

3) PRELAUNCH FORWARD & AFT MDM (LF, LA) 

4) 

5) 

6) 

7) 

8 ) 

9) 


CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FU1 

PRELAUNCH: 

3/2R 

RTLS : 

/NA, 

LIFTOFF: 

/NA 

TAL: 

/NA 

ONORBIT: 

/NA 

AOA: 

/NA 

DEORBIT: 

LANDING/SAFING: 

/NA 

3/2R 

ATO: 

/NA 

REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: AV BAY 1,6 

PART NUMBER: MC615-0004-6610 , 5600 

CAUSES: VIBRATION, CORROSION, CONTAMINATION 


EFFECTS/RATIONALE : 

FCOS DOES NOT DIRECTLY DETECT THIS ERROR VIA MDM RETURN WORD 
PROCESSING. FAULT TOLERANCE DEPENDS ON REDUNDANT STRINGS TO 
VOTING LRUS. DETECTION DEPENDS ON SEPARATE, REDUNDANT FEED BACK 
SIGNALS. IF ALL REDUNDANCY FAILS, LOSE ABILITY OF GSE TO MONITOR 
AND CONTROL SYSTEMS WHILE ATTACHED. 


REFERENCES : 


C-34 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

10/03/86 

HIGHEST CRITICALITY 

HDW/FUNC 

SUBSYSTEM: 

DPS 

FLIGHT : 

3/2R 

MDAC ID: 

186 

ABORT : 

/NA 

ITEM: 

MDM LF1 , LAI 



FAILURE MODE 

: SELECTED ALL 

CHANNELS WRONG 


LEAD ANALYST 

: W. A. HAUFLER 

SUBSYS LEAD: B. ROBB 



BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIPLEXER-DEMULTIPLEXERS (MDM) 

3) PRELAUNCH FORWARD & AFT MDM (LF , LA) 

4) 

5) 

6 ) 

7) 

8) 

9 ) 


FLIGHT PHASE 
PRELAUNCH: 
LIFTOFF: 

ONORBIT : 
DEORBIT: 
LANDING/SAFING: 


CRITICALITIES 
HDW/FUNC ABORT 


3/2R 

/NA 

/NA 

/NA 

3/2R 


RTLS : 
TAL: 
AO A: 
ATO: 


HDW/FUNC 

/NA 

/NA 

/NA 

/NA 


REDUNDANCY SCREENS: A [ 1 ] 


B [ P ] C [ P ] 


LOCATION: AV BAY 1,6 

PART NUMBER: MC615-0004-6610 , 5600 

CAUSES: VIBRATION, CORROSION, CONTAMINATION 


EFFECTS/RATIONALE : 

THE GPC'S FCOS AND THE LRUS WOULD REJECT ALL DATA FROM THAT MDM 
EXCEPT ANY DATA THAT HAPPENED TO BE IN THE SAME FORMAT AS THE 
EXPECTED DATA. REDUNDANCY MGT . SOON DETECTS AND BYPASSES THAT 
MDM, AND THE EFFECTS OF WRONG DATA INPUT OR OUTPUT IS MINIMIZED. 
IF ALL REDUNDANCY FAILS, LOSE ABILITY OF GSE TO MONITOR AND 
CONTROL SYSTEMS WHILE ATTACHED. 


REFERENCES : 


C-35 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

187 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/2R 

ABORT: /NA 


ITEM: MDM LF1 , LAI 

FAILURE MODE: STUCK ON A CONSTANT OUTPUT TO LRU 


LEAD ANALYST: W. A. HAUFLER SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY : 

1) DPS 

2) MULTIPLEXER-DEMULTIPLEXERS (MDM) 

3) PRELAUNCH FORWARD & AFT MDM (LF, LA) 

4) 

5) 

6) 

7) 

8 ) 

9 ) 


FLIGHT PHASE 
PRE LAUNCH: 
LIFTOFF : 
ONORBIT: 
DEORBIT: 


CRITICALITIES 
HDW/FUNC ABORT 


3/2R 

/NA 

/NA 

/NA 


LANDING/SAFING : 3/2R 


RTLS : 
TAL: 
AO A: 
ATO: 


HDW/FUNC 


/NA 

/NA 

/NA 


REDUNDANCY SCREENS: 


A [ 1 ] 


B [ P ] 


C [ P ] 


LOCATION: AV BAY 1,6 

PART NUMBER: MC615-0004-6610 , 5600 


CAUSES: VIBRATION, CORROSION, CONTAMINATION 


EFFECTS/RATIONALE : 

FCOS DOES NOT DIRECTLY DETECT THIS ERROR VIA MDM RETURN WORD 
PROCESSING. FAULT TOLERANCE DEPENDS ON REDUNDANT STRINGS TO 
VOTING LRUS. DETECTION DEPENDS ON SEPARATE, REDUNDANT FEEDBACK 
SIGNALS. IF ALL REDUNDANCY FAILS, LOSE ABILITY OF GSE TO MONITOR 
AND CONTROL SYSTEMS WHILE ATTACHED. 


REFERENCES : 


C-3 6 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

10/03/86 

HIGHEST CRITICALITY 

HDW/FUNC 

SUBSYSTEM: 

DPS 

FLIGHT: 

3/2R 

MDAC ID: 

188 

ABORT: 

/NA 

ITEM: 

MDM LF1 , LAI 



FAILURE MODE 

: FALSELY STUCK ON 

BUSY MODE 


LEAD ANALYST 

: W. A. HAUFLER 

SUBSYS LEAD: B. ROBB 



BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIPLEXER-DEMULTIPLEXERS (MDM) 

3) PRELAUNCH FORWARD & AFT MDM (LF , LA) 

4) 

5) 

6 ) 

7) 

8 ) 

9 ) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH : 

3/2R 

RTLS : 

/NA 

LIFTOFF: 

/NA 

TAL: 

/NA 

ONORBIT : 

/NA 

AO A: 

/NA 

DEORBIT : 

/NA 

ATO: 

/NA 

LANDING/SAFING: 

3/2R 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: AV BAY 1,6 

PART NUMBER: MC615-0004-6610 , 5600 

CAUSES: VIBRATION, CORROSION, CONTAMINATION, SCU BUSY CROSS- 

STRAP STUCK HIGH 

EFFECTS/RATIONALE : 

FCOS SETS COMMFAULT FLAG FOR THAT DATA. APPLICATION SW IGNORES 
THAT DATA. FCOS BYPASSES MDM AFTER 2ND CONSECUTIVE COMMFAULT, 

AND DISPLAYS FAULT MSG ON CRTS. PORT MODING MAY RECOVER MDM. IF 
ALL REDUNDANCY FAILS, LOSE ABILITY OF GSE TO MONITOR AND CONTROL 
SYSTEMS WHILE ATTACHED. 

REFERENCES : 


C-37 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

201 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: INPUT/OUTPUT PROCESSOR (IOP) 

FAILURE MODE: LOSS OF OUTPUT 


LEAD ANALYST: T. B. CRIBBS SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) GENERAL PURPOSE COMPUTER (GPC) 

3) INPUT/ OUTPUT PROCESSOR (IOP)' 

4) 

5) 

6 ) 

7) 

8 ) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/2R 

RTLS : 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT: 

3/2R 

AOA: 

3/1R 

DEORBIT: 

LANDING/SAFING: 

3/1R 

3/1R 

ATO: 

3/1R 

REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: AV BAYS 

PART NUMBER: 

CAUSES: MIA FAILS TO OUTPUT TO DATA BUS DUE TO PIECE/PART 

FAILURE FROM CONTAMINATION OR MECHANICAL, THERMAL, OR ELECTRICAL 
OVERSTRESS, OR POWER FAILURE 

EFFECTS/RATIONALE : 

LOSS OF A BUS -COMMANDING MIA RESULTS IN LOSS OF A GPC'S ABILITY 
TO COMMUNICATE OVER THAT BUS, ATTACHED BUS TERMINAL UNITS 
(BTU'S) , AND ALL INPUTS AND OUTPUTS CONNECTED TO THOSE BTU ' S . IN 
DYNAMIC FLIGHT PHASES, WHERE A SINGLE BTU CONTROLS AN ACTUATOR, 
THE CREW WOULD HAVE TO MANUALLY INTERVENE ON A SINGLE FAILURE, 

AND SWITCHING TRANSIENTS COULD ARISE. LOSS OF ALL REDUNDANCY 
WOULD CAUSE LOSS OF VEHICLE CONTROL. 

REFERENCES: JSC 18820, JSC 11174, JSC 12770 


C-38 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

202 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: INPUT/OUTPUT PROCESSOR (IOP) 

FAILURE MODE: ERRATIC/ERRONEOUS OUTPUT 


LEAD ANALYST: T. B. CRIBBS SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 


1 ) 

2 ) 

3 ) 

4 ) 

5 ) 

6) 

7 ) 

8 ) 
9 ) 


DPS 

GENERAL PURPOSE COMPUTER (GPC) 
INPUT/ OUTPUT PROCESSOR (IOP) 


CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRE LAUNCH: 

3/2R 

RTLS: 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT : 

3/2R 

AOA: 

3/1R 

DEORBIT : 
LANDING/SAFING 

3/1R 
: 3/1R 

ATO: 

3/1R 

REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: AV BAYS 

PART NUMBER: 

CAUSES: COMPONENT FAILURE DUE TO CONTAMINATION OR MECHANICAL, 

THERMAL, OR ELECTRICAL OVERSTRESS IN MIA, ALU, MUX, LOCAL STORE, 
OR MEMORY 


EFFECTS/RATIONALE : 

CRITICAL GPC OUTPUTS ARE VALIDATED BY SUMWORD COMPARISON; 

HOWEVER, ERRORS ARE DOWNLINKED AND LOGGED, BUT NOT CORRECTED. 
MDM/ACTUATOR HARDWARE CANCELS THE EFFECTS OF AN ERRONEOUS OUTPUT 
FROM A SINGLE CHANNEL BY "FORCE FIGHTING", BUT MULTIPLE FAILURES 
DURING CRITICAL FLIGHT PHASES WOULD LIKELY RESULT IN LOSS OF 
VEHICLE/LIFE. 

REFERENCES: JSC 18820, JSC 11174, JSC 12770 


C-39 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

203 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 2/1R 

ABORT: 2/1R 


ITEM: INPUT/ OUTPUT PROCESSOR (IOP) 

FAILURE MODE: PREMATURE OPERATION 


LEAD ANALYST: T. B. CRIBBS SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) GENERAL PURPOSE COMPUTER (GPC) 

3) INPUT/OUTPUT PROCESSOR (IOP) 

4) 

5) 

6) 

D 

8) 

9) 


CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

2/1R 

LIFTOFF: 

2/1R 

TAL: 

2/1R 

ONORBIT: 

3/2R 

AO A: 

3/1R 

DEORBIT : 

2/1R 

ATO: 

3/1R 

LANDING/SAFING: 

2/1R 


' T ' 7 ' 

REDUNDANCY SCREENS: 

A [ 1 ] 

B ( P ] 

C [ P ] 


LOCATION: AV BAYS 

PART NUMBER: 

CAUSES : CONTROL MONITOR, CHANNEL CONTROL, MSC, OR MICROCODE 

STORE FAILURE RESULTS IN INVALID EXECUTION OF PROGRAM. CAUSED BY 
PIECE/PART FAILURE. 


EFFECTS/RATIONALE : 

PREMATURE ISSUANCE OF CRITICAL OUTPUTS IS DETECTED BY OTHER GPC'S 
IN THE REDUNDANT SET. GPC FAILS TO SYNC AND STRINGS ARE BYPASSED 
BY OTHER GPC'S. FAULTY COMMANDS ARE STILL PASSED TO THE ACTUATOR 
BY FAILED GPC. PREMATURE COMMANDS TO ACTUATORS DURING DYNAMIC 
FLIGHT PHASES WOULD LIKELY RESULT IN LOSS OF VEHICLE/LIFE, IF 
ACTUATOR REDUNDANCY WAS LOST OR IF SIMULTANEOUS LOSS OF TWO 
OUTPUT CHANNELS. 


REFERENCES: JSC 18820, JSC 11174, JSC 12770 


C-4 0 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

204 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: INPUT/OUTPUT PROCESSOR (IOP) 

FAILURE MODE: ERRONEOUS INPUT 


LEAD ANALYST: T. B. CRIBBS SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 


1) 

2) 

3) 

4) 

5) 

6 ) 

7) 

8 ) 
9) 


DPS 

GENERAL PURPOSE COMPUTER (GPC) 
INPUT/ OUTPUT PROCESSOR (IOP) 


CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRE LAUNCH: 

3/2R 

RTLS : 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT: 

3/2R 

AO A: 

3/1R 

DEORBIT : 
LANDING/SAFING 

3/1R 
: 3/3 

ATO: 

3/1R 

REDUNDANCY SCREENS: 

A [ l 3 

B [ P ] 

C [ P ] 


LOCATION: AV BAYS 

PART NUMBER: 

CAUSES: COMPONENT FAILURE DUE TO CONTAMINATION OR MECHANICAL, 

THERMAL, OR ELECTRICAL OVERSTRESS IN MIA, ALU, MUX, LOCAL STORE, 
MEMORY, OR DMA QUEUE 


EFFECTS/RATIONALE : 

CRITICAL GPC/IOP INPUTS ARE VALIDATED THRU PARITY CHECKING. 
RECURRING INPUT ERRORS RESULT IN EITHER GPC "FAIL-TO-SYNC" 
BRINGING DOWN AN ERRING GPC, OR IGNORING INPUTS FROM AN ERRING 
MDM VIA A GPC MASK. ERRONEOUS INPUTS, IF PROPAGATED THROUGH THE 
GPC, COULD RESULT IN ERRONEOUS COMMAND OUTPUTS AND LOSS OF 
VEHICLE/LIFE, IF COMPLETE FUNCTION WAS LOST. 

REFERENCES: JSC 18820, JSC 11174, JSC 12770 


C-41 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

205 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: 

FAILURE MODE: 


CENTRAL PROCESSING UNIT (CPU) 
LOSS OF OUTPUT 


LEAD ANALYST: T. B. CRIBBS 


SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) GENERAL PURPOSE COMPUTER (GPC) 

3) CENTRAL PROCESSING UNIT (CPU) 

4) 

5) 

6 ) 

7) 

8 ) 

9) 


CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRE LAUNCH: 

3/3 

RTLS: 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT : 

3/2R 

AOA: 

3/1R 

DEORBIT : 

3/1R 

ATO: 

3/1R 

LANDING/SAFING 

: 3/1R 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: 
PART NUMBER: 


AV BAYS 


CAUSES: CPU FAILS TO FUNCTION DUE TO LOSS OF POWER OR FAILURE OF 

MEMORY TIMING PAGE 


EFFECTS/RATIONALE : =, , 

IN DYNAMIC FLIGHT PHASES WHERE REDUNDANT SET (RS) IS OPERATING, ■ ’ 

OTHER GPC 1 S RECOGNIZE GPC FAILING TO SYNC AND ISSUE FAIL VOTES 
AGAINST IT. THE FAILING GPC ' S VOTING LOGIC THEN REMOVES IT FROM = : 

THE RS. FOUR THS GPC'S CONTROL' CRITICAL FLIGHT FUNCTIONS; IF AT = ] 

LEAST THREE ARE LOST, THE 5TH GPC (BACKUP FLIGHT COMPUTER, BFS) 

IS ENGAGED. LOSS OF BFS WOULD RESULT IN LOSS OF VEHICLE/LIFE. „ I 

REFERENCES: JSC 18820, JSC 11174, JSC 12770 * - 


C-42 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

10/03/86 

HIGHEST CRITICALITY 

HDW/FUNC 

SUBSYSTEM: 

DPS 

FLIGHT: 

3/1R 

MDAC ID: 

206 

ABORT : 

3/1R 

ITEM: 

CENTRAL PROCESSING UNIT (CPU) 


FAILURE MODE 

: ERRONEOUS/ERRATIC 

OUTPUT 


LEAD ANALYST 

: T. B. CRIBBS 

SUBSYS LEAD: B. ROBB 



BREAKDOWN HIERARCHY: 

1) DPS 

2) GENERAL PURPOSE COMPUTER (GPC) 

3) CENTRAL PROCESSING UNIT (CPU) 

4) 

5) 

6 ) 

7) 

8 ) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/2R 

RTLS: 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT: 

3/3 

AO A: 

3/1R 

DEORBIT: 

LANDING/SAFING: 

3/1R 

3/1R 

ATO: 

3/1R 

REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

c [ p ] 


LOCATION: AV BAYS 

PART NUMBER: 


CAUSES: CPU OUTPUTS INVALID DATA TO IOP DUE TO MEMORY PARITY 

ERROR, OR FAILURE OF MASTER BUS CONTROL, ALU, DATA FLOW MUX, OR 
LOCAL STORE 

EFFECTS/RATIONALE : 

CRITICAL GPC OUTPUTS ARE VALIDATED BY SUMWORD COMPARISON TO 
OUTPUTS FROM REDUNDANT GPC'S; HOWEVER, DETECTED ERRORS ARE MERELY 
LOGGED AND DOWNLINKED WITHOUT CORRECTIVE ACTION. INVALID COMMAND 
OUTPUTS ARE PASSED THROUGH BUS TERMINAL UNITS (BTU'S) TO 
ACTUATORS WHICH "FORCE FIGHT" THE REDUNDANT COMMANDS IN ORDER TO 
VOTE OUT THE ERRONEOUS COMMAND. LOSS OF MORE THAN ONE OUTPUT 
CHANNEL TO THE SAME ACTUATOR WOULD REQUIRE CREW INTERVENTION, 
POSSIBLY CAUSING UNSTABLE SWITCHOVER TRANSIENTS. 

REFERENCES: JSC 18820, JSC 11174, JSC 12770 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 

DATE: 10/03/86 HIGHEST CRITICALITY HDW/FUNC 

SUBSYSTEM: DPS FLIGHT: 3/1R 

MDAC ID: 207 ABORT: 3/1R 

ITEM: CENTRAL PROCESS ING UN IT (CPU) 

FAILURE MODE: DELAYED/ PREMATURE/ INADVERTENT OPERATION 

LEAD ANALYST: T. B. CRIBBS SUBSYS LEAD: B. ROBB 

BREAKDOWN HIERARCHY: 

1) DPS 

2) GENERAL PURPOSE COMPUTER (GPC) 

3) CENTRAL PROCESSING UNIT (CPU) 

4) 

5) 

6 ) 

7) 

8) 

9) 


CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/2R 

RTLS : 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT : 

3/3 

AOA: 

3/1R 

DEORBIT: 

LANDING/SAFING 

3/1R 
: 3/1R 

ATO: 

3/1R 

REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: AV BAYS 

PART NUMBER: 

CAUSES: CPU ATTEMPTS TO OUTPUT DATA AT INAPPROPRIATE TIME DUE TO 

PROCESSOR SLOW-DOWN WHILE SERVICING RECURRING I/O ERRORS, FAILURE 
OF INTERRUPT LOGIC, OR INTERMITTENCE IN TIMING PAGE. 

EFFECTS/RATIONALE : 

REDUNDANT SET GPC'S SYNC UP BY WAITING FOR SYNC POINT MESSAGES 
FROM OTHER GPC'S TO INDICATE COMPLETION OF IDENTIC AL OPERATIONS > 
EXCESSIVE PROCESSOR LOAD COULD REQUIRE ALL GPC 'S TO WAIT - 
EXCESSIVELY, BUT EACH GPC WOULD RECOGNIZE THE SLOW DOWN AND ISSUE 
A FAIL-TO-SYNC VOTE, AND THE SLOW GPC'S VOTING LOGIC WOULD REMOVE 
IT FROM THE RS. IF PERFORMANCE OF ALL GPC'S WAS DEGRADED DURING 
DYNAMIC FLIGHT PHASES, VEHICLE INSTABILITY COULD OCCUR UNLESS 
CREW TOOK CONTROL. 

REFERENCES: JSC 18820, JSC 11174, JSC 12770 


C-44 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 

HDW/FUNC 
2/1R 
2/1R 


BREAKDOWN HIERARCHY: 

1) DPS 

2) GENERAL PURPOSE COMPUTER (GPC) 

3) CENTRAL PROCESSING UNIT (CPU) 

4) 

5) 

6 ) 

7) 

8 ) 

9) 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

208 


HIGHEST CRITICALITY 
FLIGHT: 
ABORT : 


ITEM: 

FAILURE MODE: 


CENTRAL PROCESSING UNIT (CPU) 
INADVERTENT OPERATION 


LEAD ANALYST: T. B. CRIBBS 


SUBSYS LEAD: B. ROBB 


CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS : 

2/1R 

LIFTOFF: 

2/1R 

TAL: 

2/1R 

ONORBIT : 

3/3 

AO A: 

2/1R 

DEORBIT: 

2/1R 

ATO: 

2/1R 

LANDING/ SAFING 

: 2/1R 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: AV BAYS 

PART NUMBER: 

CAUSES: CPU ATTEMPTS TO OUTPUT DATA ON INCORRECT DATA BUS DUE TO 

ERRORS IN MEMORY LOCATIONS CONTAINING CONFIGURATION OR BUS- 
STRINGING PARAMETERS. 

EFFECTS/RATIONALE : 

LOSS OF MEMORY IN BUS ASSIGNMENT TABLE (NBAT) COULD RESULT IN A 
GPC ATTEMPTING TO COMMAND A DATA BUS COMMANDED BY ANOTHER GPC. 
BOTH EXAMINE THEIR RESPECTIVE NBAT AND ASSUME NO ERROR CONDITION, 
AND CONTINUE TRANSMISSION ON THAT SAME BUS. THIS WOULD CAUSE ALL 
DATA ON THAT BUS TO BE ERRONEOUS. FURTHERMORE, IDLE BUS IS 
CREATED AND 2 COMMAND PATHS ARE LOST. POSSIBLE TO OUTVOTE GOOD 
COMMANDS: LOSS OF VEHICLE/LIFE. 

REFERENCES: JSC 18820, JSC 11174, JSC 12770 


C-45 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

209 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/3 

ABORT: 3/3 


ITEM: CPU POWER SWITCH 

FAILURE MODE: FAILS CLOSED 

LEAD ANALYST: T. B. CRIBBS SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) GENERAL PURPOSE COMPUTER (GPC) 

3) CENTRAL PROCESSING UNIT (CPU) 

4) CPU POWER SWITCH 

5 ) 

6 ) 

7 ) 

8 ) 

9 ) 


FLIGHT PHASE 
PRE LAUNCH: 
LIFTOFF: 
ONORBIT : 
DEORBIT: 
LANDING/SAFING 

REDUNDANCY SCREENS: 


CRITICALITIES 


HDW/FUNC 

ABORT 

HDW/FUNC 

3/3 

RTLS : 

3/3 

3/3 

TAL: 

3/3 

3/3 

AOA: 

3/3 

3/3 

ATO: 

3/3 

3/3 



A [ 1 ] 

B [ P ] 

c [ P ] 


LOCATION: PANEL 06 

PART NUMBER: 

CAUSES: CPU POWER SWITCH IS STUCK IN THE "ON" POSITION DUE TO 

CONTAMINATION 


EFFECTS/RATIONALE : 

FLIGHT RULES DICTATE THAT THE CREW SHOULD POWER OFF ANY GPC WHICH 
HAS RECURRING ERRORS DURING DYNAMIC FLIGHT PHASES, AS SOON AS 
POSSIBLE TO AVOID ERRONEOUS OUTPUTS BEING S ENT TO ACTUATORS. IF 
THE CPU POWER SWITCH WERE STUCK IN THE "ON" POSITION AND ANOTHER 
GPC BEGAN SENDING ERRONEOUS DATA, THE ACTUAT ORS COULD NOT VOTE 
OUT THE ERR ONE OUS CO MM ANDS AND THE CREW WOULD NEED TO TAKE MANUAL 
CONTROL. -T~mr- 7— : : ; 

REFERENCES: JSC 18820, JSC 11174, JSC 12770 


C-46 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

210 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: GPC MODE SWITCH 

FAILURE MODE: FAILS CLOSED 

LEAD ANALYST: T. B. CRIBBS SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) GENERAL PURPOSE COMPUTER (GPC) 

3) CENTRAL PROCESSING UNIT (CPU) 

4) GPC MODE SWITCH 

5) 

6 ) 

7) 

8) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRE LAUNCH: 

3/3 

RTLS : 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT : 

3/2R 

AOA: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

3/1R 

LANDING/ SAFING: 

3/1R 



REDUNDANCY SCREENS: 

a [ i y 

B [ P ] 

C [ P ] 


LOCATION: PANEL 06 

PART NUMBER: 

CAUSES: CPU MODE SWITCH IS STUCK IN THE "HALT" OR "STANDBY" 

POSITION DUE TO CONTAMINATION 


EFFECTS/RATIONALE : 

IF THE MODE SWITCH FOR A GPC WERE STUCK IN A NON-RUN POSITION THE 
GPC WOULD IN EFFECT BE DISABLED, SIMILAR TO FAILING TO HALT. THE 
REMAINING GPC'S WOULD IGNORE THIS GPC, AND THE GPC WOULD NOT BE 
AVAILABLE AS A BACKUP OR REDUNDANT MEMBER. IF ALL GPC'S WERE 
STUCK IN THE STANDBY MODE, THE CREW COULD NOT PERFORM CRITICAL 
FLIGHT CONTROL FUNCTIONS. 

REFERENCES: JSC 18820, JSC 11174, JSC 12770 


C-47 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

211 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: GPC OUTPUT SWITCH 

FAILURE MODE: FAILS CLOSED 


LEAD ANALYST: T. B. CRIBBS SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) GENERAL PURPOSE COMPUTER (GPC) 

3) CENTRAL PROCESSING UNIT (CPU) 

4) GPC OUTPUT SWITCH 

5 ) 

6 ) 

7 ) 

3 ) 

9 ) 


CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT : 

3/3 

AOA: 

3/1R 

DEORBIT: 

LANDING/SAFING: 

3/1R 

3/1R 

ATO: 

3/1R 

REDUNDANCY SCREENS : 

A [ 1 ] 

B [ P ] 

c [ p ] 


LOCATION: PANEL 06 

PART NUMBER: 

CAUSES: CPU OUTPUT SWITCH IS STUCK IN THE "TERMINATE" OR 

"BACKUP" POSITION DUE TO CONTAMINATION 

EFFECTS/RATIONALEs ■ : ^ - 

IF THE OUTPUT SW ITCH WERE STUCK IN THE "TERMINATE" POSITION, THIS 
WOULD HAVE THE SAME EFFECT OF DISABLING THE GPC'S OUTPUT; ALL 
SWITCHES IN THIS POSIT ION WOULD CAUSE LOSS OF VEHICLE CONTROL. 

IF THE SWITCH WERE STUCK IN THE "BACKUP" POSITION THIS GPC WOULD 
ONLY BE AVAILABLE AS BFS . IF ALL SWITCHES IN "BACKUP" GPC 5 
WOULD BE BACKUP WHEN ENGAGED. 

REFERENCES: JSC 18820, JSC 11174, JSC 12770 


C-48 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 10/03/86 

HIGHEST CRITICALITY 

HDW/FUNC 

SUBSYSTEM: DPS 

FLIGHT: 

3/3 

MDAC ID: 212 

ABORT: 

3/3 

ITEM: IPL SOURCE SWITCH 

FAILURE MODE: FAILS OPEN 



LEAD ANALYST: T. B. CRIBBS 

SUBSYS LEAD: B. ROBB 



BREAKDOWN HIERARCHY: 

1) DPS 

2) GENERAL PURPOSE COMPUTER (GPC) 

3) CENTRAL PROCESSING UNIT (CPU) 

4) MMU INITIAL PROGRAM LOAD (IPL) SOURCE SWITCH 

5) 

6) 

7) 

8 ) 

9 ) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRE LAUNCH: 

3/3 

RTLS: 

3/3 

LIFTOFF: 

3/3 

TAL: 

3/3 

ONORBIT: 

3/3 

AOA: 

3/3 

DEORBIT: 

LANDING/SAFING: 

3/3 

3/3 

ATO: 

3/3 

REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

c [ p ] 


LOCATION: PANEL 06 

PART NUMBER: 


CAUSES: IPL SELECTOR SWITCH IS SHORTED OR POWER SOURCE IS LOST 

DUE TO CONTAMINATION 

EFFECTS/RATIONALE : 

IPL SOURCE SWITCH IS USED AT PRE-LAUNCH TO INITIALIZE GPC'S. 
THIS FAILURE COULD CAUSE LOSS OF A MISSION OPPORTUNITY DUE TO 
LAUNCH DELAY. DURING FLIGHT THE GPC ' S ARE NOT TYPICALLY RE- 
IPL'ED, EVEN THOUGH THE MMU IS USED TO RETRIEVE NEW MEMORY 
OVERLAYS (AS OPPOSED TO THE IPL LOADING THE ENTIRE SYSTEM 
SOFTWARE, INCLUDING MCDS INITIALIZATION) . 

REFERENCES: JSC 18820, JSC 11174, JSC 12770 


C-49 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

10/03/86 

HIGHEST CRITICALITY 

HDW/FUNC 

SUBSYSTEM: 

DPS 

FLIGHT: 

3/1R 

MDAC ID: 

213 

ABORT: 

3/1R 

ITEM: 

FAILURE MODE 

GPC POWER SWITCH 
: FAILS OPEN 



LEAD ANALYST 

: T. B. CRIBBS 

SUBSYS LEAD: B. ROBB 



BREAKDOWN HIERARCHY: 

1) DPS 

2) GENERAL PURPOSE COMPUTER (GPC) 

3) CENTRAL PROCESSING UNIT (CPU) 

4) GPC POWER SWITCH 

5) 

6 ) 

7) 

8 ) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS: 

3/1R 

LIFTOFF : 

3/1R 

TAL: 

3/1R 

ONORBIT: 

3/2R 

AOA: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

3/1R 

LANDING/SAFING: 

3/1R 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: PANEL 06 

PART NUMBER: 


CAUSES: CPU POWER SWITCH IS STUCK IN ’'OFF" POSITION, OR GPC 

POWER IS LOST 


EFFECTS/RATIONALE : 

IF THE GPC POWER SWITCH WERE STUCK IN THE "OFF" POSITION, THE GPC 
COULD NOT FUNCTION, SAME AS CPU LOSS OF OUTPUT. 


REFERENCES: JSC 18820, JSC 11174, JSC 12770 


C-50 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

10/03/86 

HIGHEST CRITICALITY 

HDW/FUNC 

SUBSYSTEM: 

DPS 

FLIGHT: 

3/1R 

MDAC ID: 

300 

ABORT : 

3/1R 

ITEM: 

KEYBOARD SWITCH 



FAILURE MODE 

: OPEN/CLOSED 



LEAD ANALYST 

: H J LOWERY 

SUBSYS LEAD: B. ROBB 



BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIFUNCTION CRT DISPLAY SYSTEM (MCDS) 

3) KEYBOARD 

4) SWITCH 

5) 

6 ) 

7) 

8 ) 

9 ) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/2R 

RTLS: 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT: 

3/1R 

AOA: 

3/1R 

DEORBIT: 

LANDING/SAFING 

3/1R 
: 3/1R 

ATO: 

3/1R 

REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: UPPER CREW AREA 

PART NUMBER: 


CAUSES: MECHANICAL FRACTURE/ CONTAMINATION/ DEBRIS 

EFFECTS/RATIONALE : 

LOSS OF INPUTTING COMMAND CAPABILITY. REDUNDANT HARDWARE WOULD 
NOT BE ACCESSIBLE DURING PERIODS OF ANTICIPATED HIGH 
ACCELERATION/ DEACCELERATION FORCES. IE. 1. LIFT-OFF THROUGH MAIN 
ENGINE CUT-OFF - APPROXIMATELY 8 MIN 40 SEC; 2. ENTRY THROUGH 
SAFEING -APPROXIMATELY 400,000FT (TD -40 MIN) THROUGH SAFEING. 

REFERENCES : 


C-51 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

301 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: X/Y DEFLECTION AMPLIFIERS 

FAILURE MODE: NO OUTPUT/ERRONEOUS/ERRATIC OUTPUT 


LEAD ANALYST: H J LOWERY SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIFUNCTION CRT DISPLAY SYSTEM (MCDS) 

3) DISPLAY UNIT 

4) X/Y DEFLECTION AMPLIFIERS 

5) 

6) 

7) 

8 ) 

9 ) 

CRI TICA LITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRE LAUNCH: 

3/2R 

RTLS : 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/lR 

ONORBIT : 

3/1R 

AOA: 

3/1R 

DEORBIT : 

3/1R 

ATO: 

3/lR 

LANDING/S AFING: 

3/1R 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: UPPER CREW AREA 

PART NUMBER: 


CAUSES : TEMPERATURE STRESS/ CONTAMINATION/ DEBRIS 

EFFECTS/RATIONALE: 

LOSS OF MONITORING CAPABILITY. REDUNDANT HARDWARE WOULD NOT BE 
ACCESSIBLE DURING PERIODS OF ANTICIPATED HIGH 

ACCELERATION/DEACCELERATION FORCES. IE. 1. LIFT-OFF THROUGH MAIN 
ENGINE CUT-OFF - APPROXIMATELY 8 MIN 40 SEC; 2. ENTRY THROUGH 
SAFEING -APPROXIMATELY 400,000FT (TD -40 MIN) THROUGH SAFEING. 

REFERENCES: 


C-52 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

302 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: VIDEO AMPLIFIER 

FAILURE MODE: NO OUTPUT/ERRONEOUS/ERRATIC OUTPUT 


LEAD ANALYST: H J LOWERY SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIFUNCTION CRT DISPLAY SYSTEM (MCDS) 

3) DISPLAY UNIT 

4) VIDEO AMPLIFIER 

5) 

6 ) 

7) 

8) 

9 ) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/2R 

RTLS: 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT: 

3/1R 

AO A: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

3/1R 

LANDING/SAFING 

: 3/1R 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: UPPER CREW AREA 

PART NUMBER: 


CAUSES: TEMPERATURE STRESS/ CONTAMINATION/ DEBRIS 

EFFECTS/RATIONALE : 

LOSS OF MONITORING CAPABILITY. REDUNDANT HARDWARE WOULD NOT BE 
ACCESSIBLE DURING PERIODS OF ANTICIPATED HIGH 

ACCELERATION/DEACCELERATION FORCES. IE. 1. LIFT-OFF THROUGH MAIN 
ENGINE CUT-OFF - APPROXIMATELY 8 MIN 40 SEC; 2. ENTRY THROUGH 
SAFEING -APPROXIMATELY 400,000FT (TD -40 MIN) THROUGH SAFEING. 

REFERENCES : 


C-53 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

303 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: CATHODE -RAY TUBE 

FAILURE MODE: NO OUTPUT/ERRONEOUS/ERRATIC OUTPUT 


LEAD ANALYST: H J LOWERY SUBSYS LEAD: B. ROBB 

BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIFUNCTION CRT DISPLAY SYSTEM (MCDS) 

3) DISPLAY UNIT 

4) CATHODE -RAY TUBE 

5) 

6) 

7) 

8 ) 

9 ) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRE LAUNCH: 

3/2R 

RTLS : 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT: 

3/1R 

AO A: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

3/1R 

LANDING/SAFING: 

3/1R 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: UPPER CREW AREA 

PART NUMBER: 


CAUSES: SHOCK/ TEMPERATURE STRESS/ MECHANICAL FRACTURE/ 

VIBRATION/ CONTAMINATION/ DEBRIS 


EFFECTS/RATIONALE:;,., .. ... ... - _.r - - _ . 

LOSS OF MONITORING CAPABILITY. REDUNDANT HARDWARE WOULD NOT BE 
ACCESSIBLE DURING PERIODS OF ANTICIPATED HIGH 

ACCELERATION/DEACCELERATION FORCES. IE. 1. LIFT-OFF THROUGH MAIN 
ENGINE CUT-OFF - APPROXIMATELY 8 MIN 40 SEC; 2. ENTRY THROUGH 
SAFEING -APPROXIMATELY 400,000FT (TD -40 MIN) THROUGH SAFEING. 


REFERENCES : 


C-54 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

304 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: HI AND LOW VOLTAGE POWER SUPPLIES 

FAILURE MODE: NO OUTPUT/ERRONEOUS/ERRATIC OUTPUT 

LEAD ANALYST: H J LOWERY SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIFUNCTION CRT DISPLAY SYSTEM (MCDS) 

3) DISPLAY UNIT 

4) HIGH AND LOW ( +/~5 , 15, 28 & 80 VDC) VOLTAGE POWER SUPPLIES 

5) 

6 ) 

7) 

8 ) 

9) 


CRITICALITIES 



FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 


PRE LAUNCH: 

3/2R 

RTLS: 

3/1R 

— 

LIFTOFF: 

3/1R 

TAL: 

3/1R 


ONORBIT: 

3/1R 

AOA: 

3/1R 


DEORBIT: 

3/1R 

ATO: 

3/1R 

- 

LANDING/S AFING: 3/1R 




REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 

— 

LOCATION: UPPER 

CREW AREA 




PART NUMBER: 




z 

CAUSES : MECHANICAL 

FRACTURES/ 

CONTAMINATION/ 

DEBRIS 


EFFECTS/RATIONALE : 

LOSS OF MONITORING CAPABILITY. REDUNDANT HARDWARE WOULD NOT BE 
ACCESSIBLE DURING PERIODS OF ANTICIPATED HIGH 

ACCELERATION/DEACCELERATION FORCES. IE. 1. LIFT-OFF THROUGH MAIN 
ENGINE CUT-OFF - APPROXIMATELY 8 MIN 40 SEC; 2. ENTRY THROUGH 
SAFEING -APPROXIMATELY 400,000FT (TD -40 MIN) THROUGH SAFEING. 

REFERENCES : 


C-55 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

305 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/ lE 


ITEM: RPC 

FAILURE MODE: OPEN/CLOSED/PREMATURE OPERATION 


LEAD ANALYST: H J LOWERY SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIFUNCTION CRT DISPLAY SYSTEM (MCDS) 

3) DISPLAY UNIT 

4) RPC 

5) 

6 ) 

7 ) 

8) 

9) 


CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/2R 

RTLS : 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT: 

3/1R 

AOA: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

3/1R 

LANDING/SAFING 

: 3/1R 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: UPPER CREA AREA 

PART NUMBER: 

CAUSES : MECHANICAL FRACTURE/ CONTAMINATION/ DEBRIS 


EFFECTS/RATIONALE : 

LOSS OF M ONITORIN G C APABILITY . REDUNDANT HARDWARE WOULD NOT BE 
ACCESSIBLE DURING PERIODS OF l^lfteiRATiD HIGH 

ACCELERATION/DEACCELERATION FORCES. IE. 1. LIFT-OFF THROUGH MAIN 
ENGINE CUT-OFF - APPROXIMATELY 8 MIN 40 SEC? 2. ENTRY THROUGH 
SAFEING -APPROXIMATELY 400,000FT (TD -40 MIN) THROUGH SAFEING. 


REFERENCES : 


C-56 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 

DATE: 10/03/86 HIGHEST CRITICALITY HDW/FUNC 

SUBSYSTEM: DPS FLIGHT: 3/1R 

MDAC ID: 306 ABORT: 3/1R 

ITEM: MEMORY 

FAILURE MODE: NO OUTPUT/ERRONEOUS/ERRATIC OUTPUT 

LEAD ANALYST: H J LOWERY SUBSYS LEAD: B. ROBB 

BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIFUNCTION CRT DISPLAY SYSTEM (MCDS) 

3) DEU 

4) MEMORY 

5) 

6 ) 

7) 

8 ) 

9) 




CRITICALITIES 



FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

= ' 

PRELAUNCH: 

3/2R 

RTLS : 

3/1R 

ims 

LIFTOFF: 

3/1R 

TAL: 

3/1R 


ONORBIT: 

3/1R 

AOA: 

3/1R 

„ 

DEORBIT: 

3/1R 

ATO: 

3/1R 


LANDING/SAFING 

: 3/1R 




REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: UPPER CREW AREA 

PART NUMBER: 


CAUSES : CONTAMINATION/ DEBRIS 

EFFECTS/RATIONALE : 

LOSS OF MONITORING CAPABILITY. REDUNDANT HARDWARE WOULD NOT BE 
ACCESSIBLE DURING PERIODS OF ANTICIPATED HIGH 

ACCELERATION/ DEACCELERATION FORCES. IE. 1. LIFT-OFF THROUGH MAIN 
ENGINE CUT-OFF - APPROXIMATELY 8 MIN 40 SEC? 2. ENTRY THROUGH 
SAFEING -APPROXIMATELY 400,000FT (TD -40 MIN) THROUGH SAFEING. 

REFERENCES : 


C-57 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

307 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: KEYBOARD ADAP TER 

FAILURE MODE: NO OUTPUT/ ERRONEOUS/ ERRATIC OUTPUT 


LEAD ANALYST: H J LOWERY SUBSYS LEAD: B. ROBB 

BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIFUNCTION CRT DISPLAY SYSTEM (MCDS) 

3) DEU 

4) KEYBOARD ADAPTER 

5) 

6 ) 

7) 

8 ) 

9 ) 


CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/2R 

RTLS : 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT : 

3/1R 

AO A: 

3/1R 

DEORBIT: 

LANDING/SAFING 

3/1R 
: 3/1R 

ATO: 

3/1R 

REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: UPPER CREW AREA 

PART NUMBER: 


CAUSES: CONTAMINATION/ DEBRIS 

EFFECTS/RATIONALE : 

LOSS OF INPUTTING COMMAND CAPABILITY. REDUNDANT HARDWARE WOULD 
NOT BE ACCESSIBLE DURING PERIODS OF ANTICIPATED HIGH 
ACCELERATION/DEACCELERATION FORCES. IE. 1. LIFT-OFF THROUGH MAIN 
ENGINE CUT-OFF - APPROXIMATELY 8 MIN 40 SEC; 2. ENTRY THROUGH 
SAFEING -APPROXIMATELY 400,000FT (TD -40 MIN) THROUGH SAFEING. 


REFERENCES : 


C-58 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

308 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: SYMBOL GENERATOR 

FAILURE MODE: NO OUTPUT/ ERRONEOUS/ ERRATIC OUTPUT 


LEAD ANALYST: H J LOWERY SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIFUNCTION CRT DISPLAY SYSTEM (MCDS) 

3) DEU 

4) SYMBOL GENERATOR 

5) 

6) 

7) 

8) 

9) 


CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH : 

3/2R 

RTLS : 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT : 

3/1R 

AOA: 

3/1R 

DEORBIT : 
LANDING/SAFING 

3/1R 
: 3/1R 

ATO: 

3/1R 

REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: UPPER CREW AREA 

PART NUMBER: 


CAUSES : CONTAMINATION/ DEBRIS 

EFFECTS/RATIONALE : 

LOSS OF MONITORING CAPABILITY. REDUNDANT HARDWARE WOULD NOT BE 
ACCESSIBLE DURING PERIODS OF ANTICIPATED HIGH 

ACCELERATION/DEACCELERATION FORCES. IE. 1. LIFT-OFF THROUGH MAIN 
ENGINE CUT-OFF - APPROXIMATELY 8 MIN 40 SEC; 2. ENTRY THROUGH 
SAFEING -APPROXIMATELY 400,000FT (TD -40 MIN) THROUGH SAFEING. 


REFERENCES : 


C-59 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

309 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: MIA 

FAILURE MODE: NO OUTPUT/ERRONEOUS/ERRATIC OUTPUT 


LEAD ANALYST: H J LOWERY SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIFUNCTION CRT DISPLAY SYSTEM (MCDS) 

3) DEU 

4) MIA 

5) 

6 ) 

7) 

8 ) 

9 ) 


CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/2R 

RTLS : 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT: 

3/1R 

AOA: 

3/1R 

DEORBIT: 

LANDING/SAFING 

3/1R 
: 3/1R 

ATO: 

3/1R 

REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: UPPER CREW AREA 

PART NUMBER: 


CAUSES : CONTAMINATION/ DEBRIS 

EFFECTS/RATIONALE : 

LOSS OF MONITORING CAPABILITY. REDUNDANT HARDWARE WOULD NOT BE 
ACCESSIBLE DURING PERIODS OF ANTICIPATED HIGH 

ACCELERATION/DEACCELERATION FORCES. IE. 1. LIFT-OFF THROUGH MAIN 
ENGINE CUT-OFF - APPROXIMATELY 8 MIN 40 SEC; 2. ENTRY THROUGH 
SAFEING -APPROXIMATELY 400,000FT (TD -40 MIN) THROUGH SAFEING. 

REFERENCES : 


C-60 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

310 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: CONTROL LOGIC 

FAILURE MODE: NO OUTPUT/ERRONEOUS/ERRATIC OUTPUT 


LEAD ANALYST: H J LOWERY SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 


1) 

DPS 




2) 

MULTIFUNCTION CRT 

' DISPLAY 

SYSTEM (MCDS) ■ 


3) 

DEU 




4) 

CONTROL LOGIC 




5) 





6) 





7) 





8) 





9) 







CRITICALITIES 



FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 


PRE LAUNCH: 

3/2R 

RTLS: 

3/1R 


LIFTOFF: 

3/1R 

TAL: 

3/1R 


ONORBIT : 

3/1R 

AOA: 

3/1R 


DEORBIT : 

3/1R 

ATO: 

3/1R 


LANDING/SAFING: 

3/1R 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: UPPER CREW AREA 

PART NUMBER: 


CAUSES : CONTAMINATION/ DEBRIS 

EFFECTS/RATIONALE : 

LOSS OF MONITORING CAPABILITY. REDUNDANT HARDWARE WOULD NOT BE 
ACCESSIBLE DURING PERIODS OF ANTICIPATED HIGH 

ACCELERATION/DEACCELERATION FORCES. IE. 1. LIFT-OFF THROUGH MAIN 
ENGINE CUT-OFF - APPROXIMATELY 8 MIN 40 SEC; 2. ENTRY THROUGH 
SAFEING -APPROXIMATELY 400,000FT (TD -40 MIN) THROUGH SAFEING. 


REFERENCES 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

311 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: POWER SUPP LIES 

FAILURE MODE: NO OUTPUT/ERRONEOUS/ERRATIC OUTPUT 


LEAD ANALYST: H J LOWERY SUBSYS LEAD: B. ROBB 

BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIFUNCTION CRT DISPLAY SYSTEM (MCDS) 

3) DEU 

4) POWER SUPPLIES (+/-5, 12 & 15 VDC) 

5) 

6 ) 

7) 

8 ) 

9) 


FLIGHT PHASE 
PRELAUNCH: 
LIFTOFF: 
ONORBIT: 
DEORBIT: 
LANDING/SAFING 


CRITICALITIES 
HDW/FUNC ABORT 

3/2R RTLS: 

3/1R TAL: 

3/1R AOA: 

3/1R ATO: 

3/1R 


HDW/FUNC 

3/1R 

3/1R 

3/1R 

3/1R 


REDUNDANCY SCREENS: A [ 1 ] B [ P ] 


C [ P ] 


LOCATION: UPPER CREW AREA 

PART NUMBER: 


CAUSES : CONTAMINATION/ DEBRIS 


EFFECTS/RATIONALE : 

LOSS OF MONITORING CAPABILITY. REDUNDANT HARDWARE WOULD NOT BE 
ACCESSIBLE DURING PERIODS OF ANTICIPATED HIGH 

ACCELERATION/DEACCELERATION FORCES. IE. 1. LIFT-OFF THROUGH MAIN 
ENGINE CUT-OFF - APPROXIMATELY 8 MIN 40 SEC; 2. ENTRY THROUGH 
SAFEING -APPROXIMATELY 400,000FT (TD -40 MIN) THROUGH SAFEING. 


REFERENCES : 


C-62 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

312 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: RPC 

FAILURE MODE: OPEN/CLOSED/PREMATURE OPERATION 


LEAD ANALYST: H J LOWERY SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 


1) 

2 ) 

3) 

4) 

5) 

6 ) 

7) 

8 ) 
9) 


DPS 

MULTIFUNCTION 

DEU 

RPC 


CRT DISPLAY SYSTEM (MCDS) 


CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRE LAUNCH: 

3/2R 

RTLS: 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT: 

3/1R 

AOA: 

3/1R 

DEORBIT : 

3/1R 

ATO: 

3/1R 

LANDING/SAFING 

: 3/1R 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: UPPER CREW AREA 

PART NUMBER: 


CAUSES: TEMPERATURE STRESS/ MECHANICAL FRACTURE/ CONTAMINATION/ 

DEBRIS 


EFFECTS/RATIONALE : 

LOSS OF MONITORING CAPABILITY. REDUNDANT HARDWARE WOULD NOT BE 
ACCESSIBLE DURING PERIODS OF ANTICIPATED HIGH 

ACCELERATION/DEACCELERATION FORCES. IE. 1. LIFT-OFF THROUGH MAIN 
ENGINE CUT-OFF - APPROXIMATELY 8 MIN 40 SEC; 2. ENTRY THROUGH 
SAFEING -APPROXIMATELY 400 ; 000FT (TD -40 MIN) THROUGH SAFEING. 

REFERENCES : 


C-63 





INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

313 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/3 

ABORT: 3/3 


ITEM: LOAD SWITCH 

FAILURE MODE: OPEN/CLOSED/PREMATURE OPERATION 

LEAD ANALYST: H J LOWERY SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIFUNCTION CRT DISPLAY SYSTEM (MCDS) 

3) DEU 

4 ) LOAD SWITCH 

5 ) 

6 ) 

7 ) 

8 ) 

9 ) 


CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/3 

RTLS : 

3/3 

LIFTOFF: 

3/3 

TAL: 

3/3 

ONORBIT: 

3/3 

AOA: 

3/3 

DEORBIT: 

LANDING/SAFING: 

3/3 

3/3 

ATO: 

3/3 

REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: UPPER CREW AREA 

PART NUMBER: 


CAUSES: MECHANICAL FRACTURE/ CONTAMINATION/ DEBRIS 


EFFECTS/RATIONALE : 

DEUS ARE NOT NORMALLY RELOADED DURING A MISSION. SWITCH IS NOT 
NEEDED. 


REFERENCES : 


C-64 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


HDW/FUNC 
3/1R 
3/1R 

ITEM: FUNCTION SWITCH 

FAILURE MODE: OPEN/CLOSED/PREMATURE OPERATION 

LEAD ANALYST: H J LOWERY SUBSYS LEAD: B. ROBB 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

314 


HIGHEST CRITICALITY 
FLIGHT: 
ABORT : 


BREAKDOWN HIERARCHY: 


1) 

2 ) 

3) 

4) 

5) 

6 ) 

7) 

8 ) 
9) 


DPS 

MULTIFUNCTION CRT DISPLAY SYSTEM (MCDS) 
DEU 

FUNCTION SWITCH 


CRITICALITIES 


FLIGHT PHASET 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRE LAUNCH: 

3/2R 

RTLS : 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT : 

3/1R 

AO A: 

3/1R 

DEORBIT: 

3/1R 

ATO: 

3/1R 

LANDING/ SAFING 

: 3/1R 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: UPPER CREW AREA 

PART NUMBER: 


CAUSES: MECHANICAL FRACTURE/ CONTAMINATION/ DEBRIS 

EFFECTS/RATIONALE : 

IMPROPER MAJOR FUNCTION IDENTIFICATION. 


REFERENCES : 


C-65 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

315 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: DATA BUS COUPLER (DBC) 

FAILURE MODE : OPEN/SHORT 


LEAD ANALYST: H J LOWERY SUBSYS LEAD: B. ROBB 

BREAKDOWN HIERARCHY: 

1) DPS 

2) MULTIFUNCTION CRT DISPLAY SYSTEM (MCDS) 

3) DBC 

4) 

5) 

6 ) 

7) 

8 ) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRE LAUNCH: 

3/2R 

RTLS: 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT : 

3/1R 

AOA: 

3/1R 

DEORBIT : 

3/1R 

ATO: 

3/1R 

LANDING/SAFING: 

3/1R 




REDUNDANCY SCREENS: A [ 1 ] B [ P ] C [ P ] 

LOCATION: ALL AV BAYS 

PART NUMBER: 

CAUSES: MECHANICAL FRACTURE/ CONTAMINATION/ DEBRIS 

EFFECTS/RATIONALE : 

LOSS OF DATA BUS. REDUNDANT HARDWARE WOULD NOT BE ACCESSIBLE 
DURING PERIODS OF ANTICIPATED HIGH ACCELERATION/DEACCELERATION 
FORCES. IE. 1. LIFT-OFF THROUGH MAIN ENGINE CUT-OFF - 
APPROXIMATELY 8 MIN 40 SEC? 2. ENTRY THROUGH SAFEING - 
APPROXIMATELY 400,000FT (TD -40 MIN) THROUGH SAFEING. 

REFERENCES : 


C-66 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

316 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/2R 

ABORT : /NA 


ITEM: DBIA 

FAILURE MODE: OPEN/SHORT/ERRONEOUS/ERRATIC OUTPUT 


LEAD ANALYST: H J LOWERY SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 


1 ) 

2 ) 

3) 

4) 

5) 

6 ) 

7) 

8 ) 
9) 


DPS 

MULTIFUNCTION 

DBIA 


CRT DISPLAY SYSTEM (MCDS) 


CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRE LAUNCH: 

3/2R 

RTLS : 

3/2R 

LIFTOFF: 

3/2R 

TAL: 

/NA 

ONORBIT : 

/NA 

AO A: 

/NA 

DEORBIT : 
LANDING/SAFING: 

/NA 

/NA 

ATO: 

/NA 

REDUNDANCY SCREENS: 

A [ 1 ] 

B [NA ] 

C [ P ] 


LOCATION: AV BAY 5 

PART NUMBER: 


CAUSES: MECHANICAL FRACTURE/ CONTAMINATION/ DEBRIS 

EFFECTS/RATIONALE : 

LOSS OF ONE COMMAND/DATA PATH. 


REFERENCES : 


C-67 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

400 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/2R 

ABORT: 3/2R 


ITEM: TAPE TRANSPORT MECHANISM 

FAILURE MODE: LOSS OF OUTPUT 


LEAD ANALYST: K. PIETZ SUBSYS LEAD: B. ROBB 


BREAKDOWN 

1) DPS 

2) MASS 

3 ) TAPE 

4) 

5) 

6 ) 

7) 

8 ) 

9) 


HIERARCHY : 

MEMORY UNITS (MMU) 
TRANSPORT MECHANISM 


FLIGHT PHASE 
PRE LAUNCH: 
LIFTOFF: 
ONORBIT: 
DEORBIT: 
LANDING/ SAFING 


CRITICALITIES 


HDW/FUNC 

3/2R 

3/2R 

3/2R 

/NA 

/NA 


ABORT 

RTLS: 

TAL: 

AOA: 

ATO: 


HDW/FUNC 

/NA 

3/2R 

3/2R 

3/2R 


REDUNDANCY SCREENS: A [ 2 ] B [ P ] C [ P ] 

LOCATION: AV BAY 1,2 

PART NUMBER: MC 615-0005 


CAUSES: WORN TAPE OR FOREIGN MATTER ON TAPE, MOTOR FAILURE (WORN 

BRUSHES, ETC.), WORN HEADS, FAILURE OF NEGATOR SPRING CAUSING 
TAPE SLIPPAGE DUE TO INCORRECT TENSION. 


EFFECTS/RATIONALE : 

IF BOTH MMUS FAIL, OPS 2 AND 3 SOFTWARE CANNOT BE LOADED. 
HOWEVER, OPS 3 CAN BE UPLINKED OR BFS ENGAGED FOR ENTRY. 


REFERENCES : 


C-68 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

401 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/2R 

ABORT: 3/2R 


ITEM: TAPE TRANSPORT MECHANISM 

FAILURE MODE: ERRONEOUS OUTPUT 

LEAD ANALYST: K. PIETZ SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) MASS MEMORY UNITS (MMU) 

3) TAPE TRANSPORT MECHANISM 

4) 

5) 

6 ) 

7) 

8) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/2R 

RTLS : 

/NA 

LIFTOFF: 

3/2R 

TAL: 

3/2R 

ONORBIT: 

3/2R 

AO A: 

3/2R 

DEORBIT: 

LANDING/SAFING 

/NA 

/NA 

ATO: 

3/2R 

REDUNDANCY SCREENS: 

A [ 2 ] 

B [ P ] 

C [ P ] 


LOCATION: AV BAY 1,2 

PART NUMBER: MC 615-0005 


CAUSES: WORN TAPE OR FOREIGN MATTER ON TAPE, TAPE SLIPPAGE DUE 

TO INCORRECT TENSION. 

EFFECTS/RATIONALE : 

IF BOTH MMUS FAIL, OPS 2 AND 3 SOFTWARE CANNOT BE LOADED. 
HOWEVER, OPS 3 CAN BE UPLINKED OR BFS ENGAGED FOR ENTRY. 

REFERENCES : 


C-69 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

402 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/2R 

ABORT: 3/2R 


ITEM: 

FAILURE MODE: 


READ ELECTRONICS 
LOSS OF OUTPUT 


LEAD ANALYST: K. PIETZ 


SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) MASS MEMORY UNITS 

3) READ ELECTRONICS 

4 ) 

5 ) 

6 ) 

7 ) 

8 ) 

9 ) 


(MMU) 


CRITICALITIES 


FLIGHT PHASE 
PRE LAUNCH: 
LIFTOFF: 
ONORBIT: 
DEORBIT : 


HDW/FUNC 

3/2R 

3/2R 

3/2R 

/NA 


LANDING/SAFING: /NA 


REDUNDANCY SCREENS: 


A [ 2 ] 


LOCATION: 
PART NUMBER: 


AV BAY 1,2 
MC 615-0005 


ABORT 

RTLS: 

TAL: 

AOA: 

ATO: 


B [ P ] 


HDW/FUNC 

/NA 

3/2R 

3/2R 

3/2R 


C [ P ] 


CAUSES: ELECTRICAL FAILURE : - 

EFFECTS/RATIONALE : 

IF BOTH MMUS FAIL, OPS 2 AND 3 SOFTWARE CANNOT BE LOADED. 
HOWEVER, OPS 3 CAN BE UPLINKED OR BFS ENGAGED FOR ENTRY. 


REFERENCES : 



C-7 0 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

403 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/2R 

ABORT: 3/2R 


ITEM: READ ELECTRONICS 

FAILURE MODE: ERRONEOUS OUTPUT 


LEAD ANALYST: K. PIETZ SUBSYS LEAD: B. ROBB 


BREAKDOWN 


m m 

1) 

DPS 


2) 

MASS 

= : 

3) 

READ 

— 

4) 



5) 



6) 



7) 



8) 



9) 



HIERARCHY: 

MEMORY UNITS (MMU) 
ELECTRONICS 


— 


CRITICALITIES 



FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 


PRE LAUNCH: 

3/2R 

RTLS : 

/NA 


LIFTOFF: 

3/2R 

TAL: 

3/2R 


ONORBIT : 

3/2R 

AO A: 

3/2R 


DEORBIT: 

LANDING/SAFING 

/NA 
: /NA 

ATO: 

3/2R 


REDUNDANCY SCREENS: A [ 2 ] B[P] C [ P ] 


LOCATION: AV BAY 1,2 

PART NUMBER: MC 615-0005 

CAUSES : ELECTRICAL FAILURE 

EFFECTS/RATIONALE : 

IF BOTH MMUS FAIL, OPS 2 AND 3 SOFTWARE CANNOT BE LOADED. 
HOWEVER, OPS 3 CAN BE UPLINKED OR BFS ENGAGED FOR ENTRY. 

REFERENCES : 


C-71 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE ; 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

404 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/2R 

ABORT: 3/2R 


ITEM: MIA 

FAILURE MODE: LOSS OF OUTPUT 


LEAD ANALYST: K. PIETZ SUBSYS LEAD: B. ROBB 

BREAKDOWN HIERARCHY: 

1) DPS 

2) MASS MEMORY UNITS (MMU) 

3) MIA 

4) 

5) 

6 ) 

7) 

8 ) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/2R 

RTLS: 

/NA 

LIFTOFF : 

3/2R 

TAL: 

3/2R 

ONORBIT: 

3/2R 

AO A: 

3/2R 

DEORBIT: 

/NA 

ATO: 

3/2R 

LANDING/SAFING 

: /NA 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 

LOCATION: AV BAY 

1/2 



PART NUMBER: MC 615- 

0005 



CAUSES: ELECTRICAL FAILURE 




EFFECTS/RATIONALE : 

IF BOTH MMUS FAIL, OPS 2 AND 3 SOFTWARE CANNOT BE LOADED. 
HOWEVER, OPS 3 CAN BE UPLINKED OR BFS ENGAGED FOR ENTRY. 

REFERENCES : 


C-72 


INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

10/03/86 


HIGHEST CRITICALITY 

HDW/FUNC 

SUBSYSTEM: 

DPS 


FLIGHT: 

3/2R 

MDAC ID: 

405 


ABORT: 

3/2R 

ITEM: 

MIA 




FAILURE MODE 

: ERRONEOUS 

OUTPUT 



LEAD ANALYST 

: K. PIETZ 

SUBSYS 

LEAD: B. ROBB 



BREAKDOWN HIERARCHY: 

1) DPS 

2) MASS MEMORY UNITS (MMU) 

3) MIA 

4) 

5) 

6 ) 

7) 

8) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH : 

3/2R 

RTLS: 

/NA 

LIFTOFF: 

3/2R 

TAL: 

3/2R 

ONORBIT : 

3/2R 

AOA: 

3/2R 

DEORBIT: 
LANDING/ SAFING: 

/ NA 
/NA 

ATO: 

3/2R 

REDUNDANCY SCREENS: 

A [ 1 ] 

l — i 

A 

c [ P ] 


LOCATION: AV BAY 1,2 

PART NUMBER: MC 615-0005 


CAUSES : ELECTRICAL FAILURE 

EFFECTS/RATIONALE : 

IF BOTH MMUS FAIL, OPS 2 AND 3 SOFTWARE CANNOT BE LOADED. 
HOWEVER, OPS 3 CAN BE UPLINKED OR BFS ENGAGED FOR ENTRY. 

REFERENCES : 


C-73 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

406 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/2R 

ABORT: 3/2R 


ITEM: WRITE ELECTRONICS 

FAILURE MODE: LOSS OF OUTPUT 


LEAD ANALYST: K. PIETZ SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) MASS MEMORY UNITS (MMU) 

3 ) WRITE ELECTRONICS 

4 ) 

5 ) 

6 ) 

7 ) 

8 ) 

9 ) 


FLIGHT PHASE 
PRELAUNCH: 
LIFTOFF: 
ONORBIT: 
DEORBIT : 
LANDING/SAFING 


CRITICALITIES 


HDW/FUNC 
3/2R 
3/2R 
3/2R 
/NA 
: /NA 


ABORT 
RTLS : 
TAL: 
AOA: 
ATO: 


HDW/FUNC 

/NA 

3/2R 

3/2R 

3/2R 


REDUNDANCY SCREENS: A [ 2 ] B [ P 


C [ P ] 


LOCATION: AV BAY 1,2 

PART NUMBER: MC 615-0005 


CAUSES: ELECTRICAL FAILURE 


EFFECTS /RATIONALE : 

IF THE ABILITY TO WRITE TO MMUS WERE LOST, THE MISSION COULD BE 
TERMINATED EARLY. NO DANGER TO CREW OR VEHICLE. 


REFERENCES 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

10/03/86 

HIGHEST CRITICALITY 

HDW/FUNC 

SUBSYSTEM: 

DPS 

FLIGHT: 

3/2R 

MDAC ID: 

407 

ABORT : 

3/2R 

ITEM: 

RPC 



FAILURE MODE 

: FAILED OPEN 



LEAD ANALYST 

: K. PIETZ 

SUBSYS LEAD: B. ROBB 



BREAKDOWN HIERARCHY: 

1) DPS 

2) MASS MEMORY UNITS (MMU) 

3 ) POWER SUPPLY 

4) RPC 

5) 

6 ) 

7) 

8 ) 

9 ) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRE LAUNCH: 

3/2R 

RTLS: 

/NA 

LIFTOFF: 

3/2R 

TAL: 

3/2R 

ONORBIT : 

3/2R 

AOA: 

3/2R 

DEORBIT: 

LANDING/SAFING 

/NA 
: /NA 

ATO: 

3/2R 

REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: AV BAY 1,2 

PART NUMBER: MC 615-0005 


CAUSES : BROKEN CONTACT 

EFFECTS/RATIONALE : 

IF BOTH MMUS FAIL, OPS 2 AND 3 SOFTWARE CANNOT BE LOADED. 
HOWEVER, OPS 3 CAN BE UPLINKED OR BFS ENGAGED FOR ENTRY. 

REFERENCES : 


C-75 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 

DATE: 10/03/86 HIGHEST CRITICALITY HDW/FUNC 

SUBSYSTEM: DPS FLIGHT: 3/2R 

MDAC ID: 408 ABORT: 3/2R 

ITEM: SWITCH 

FAILURE MODE: FAILED OPEN 

LEAD ANALYST: K. PIETZ SUBSYS LEAD: B. ROBB 

BREAKDOWN HIERARCHY: 

1) DPS 

2) MASS MEMORY UNITS (MMU) 

3 ) POWER SUPPLY 

4) SWITCH 

5) 

6 ) 

7) 

8 ) 

9 ) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/2R 

RTLS : 

/NA 

LIFTOFF: 

3/2R 

TAL: 

3/2R 

ONORBIT: 

3/2R 

AO A: 

3/2R 

DEORBIT : 

/NA 

ATO: 

3/2R 

LANDING/SAFING 

: /NA 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: AV BAY 1,2 

PART NUMBER: MC 615-0005 


CAUSES: BROKEN CONTACT 

EFFECTS/RATIONALE : 

IF BOTH MMUS FAIL, OPS 2 AND 3 SOFTWARE CANNOT BE LOADED. 
HOWEVER, OPS 3 CAN BE UPLINKED OR BFS ENGAGED FOR ENTRY. 

REFERENCES : 


C-76 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

10/03/86 


HIGHEST 

CRITICALITY 

HDW/FUNC 

SUBSYSTEM: 

DPS 



FLIGHT: 

3/3 

MDAC ID: 

409 



ABORT : 

3/3 

ITEM: 

SWITCH 





FAILURE MODE 

: FAILED CLOSED 

(ON) 




LEAD ANALYST 

: K. PIETZ 

SUBSYS 

LEAD: B. 

ROBB 



BREAKDOWN HIERARCHY: 

1) DPS 

2) MASS MEMORY UNITS (MMU) 

3 ) POWER SUPPLY 

4) SWITCH 

5) 

6 ) 

7) 

8 ) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/2R 

RTLS: 

/NA 

LIFTOFF: 

3/3 

TAL: 

3/3 

ONORBIT: 

3/3 

AOA: 

3/3 

DEORBIT: 

/NA 

ATO: 

3/3 

LANDING/SAFING: 

/NA 




REDUNDANCY SCREENS: A [ 1 ] B[P] C[P] 

LOCATION: AV BAY 1,2 

PART NUMBER: MC 615-0005 

CAUSES: STRAY PARTICLE 

EFFECTS/RATIONALE : 

NONE 


REFERENCES : 


C-77 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE : 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

410 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/2R 

ABORT: 3/2R 


ITEM: CONTROL LOGIC 

FAILURE MODE: LOSS OF OUTPUT 


LEAD ANALYST: K. PIETZ SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) MASS MEMORY UNITS 

3) CONTROL LOGIC 

4) 

5) 

6 ) 

7) 

8 ) 

9 ) 


(MMU) 


FLIGHT PHASE 
PRELAUNCH: 
LIFTOFF: 
ONORBIT: 
DEORBIT: 
LANDING/SAFING 


CRITICALITIES 
HDW/FUNC ABORT 


3/2R 

3/2R 

3/2R 

/NA 

/NA 


RTLS : 
TAL: 
AOA: 
ATO: 


HDW/FUNC 

/NA 

3/2R 

3/2R 

3/2R 


REDUNDANCY SCREENS: A [ 2 ] B[P] C [ P ] 

LOCATION: AV BAY 1,2 

PART NUMBER: MC 615-0005 


CAUSES : ELECTRICAL FAILURE 


EFFECTS/RATIONALE : 

IF BOTH MMUS FAIL, OPS 2 OR 3 SOFTWARE CANNOT BE LOADED. 
HOWEVER, OPS 3 CAN BE UPLINKED OR BFS ENGAGED FOR ENTRY. 


REFERENCES : 


C-78 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

411 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/2R 

ABORT: 3/2R 


ITEM: CONTROL LOGIC 

FAILURE MODE: ERRONEOUS OUTPUT 


LEAD ANALYST: K. PIETZ SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) MASS MEMORY UNITS (MMU) 

3 ) CONTROL LOGIC 

4) 

5) 

6 ) 

7) 

8 ) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/2R 

RTLS : 

/NA 

LIFTOFF: 

3/2R 

TAL: 

3/2R 

ONORBIT : 

3/2R 

AO A: 

3/2R 

DEORBIT: 

LANDING/SAFING 

/NA 
: /NA 

ATO: 

3/2R 

REDUNDANCY SCREENS: 

A [ 2 ] 

B [ P ] 

C [ P ] 


LOCATION: AV BAY 1,2 

PART NUMBER: MC 615-0005 


CAUSES : ELECTRICAL FAILURE 

EFFECTS/RATIONALE : 

IF BOTH MMUS FAIL, OPS 2 OR 3 SOFTWARE CANNOT BE LOADED. 
HOWEVER, OPS 3 CAN BE UPLINKED OR BFS ENGAGED FOR ENTRY. 

REFERENCES : 


C-79 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

412 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/2R 

ABORT: 3/2R 


ITEM: POWER SUPPLY 

FAILURE MODE: FAILS OUT OF TOLERANCE OR INTERRUPT 


LEAD ANALYST: K. PIETZ SUBSYS LEAD: B. ROBB 

BREAKDOWN HIERARCHY: 

1) DPS 

2) MASS MEMORY UNITS (MMU) 

3 ) POWER SUPPLY 

4) 

5) 

6 ) 

7) 

8 ) 

9) 

CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRELAUNCH: 

3/2R 

RTLS: 

/NA 

LIFTOFF: 

3/2R 

TAL: 

3/2R 

ONORBIT: 

3/2R 

AOA: 

3/2R 

DEORBIT : 

/NA 

ATO: 

3/2R 

LANDING/SAFING 

: /NA 

A ' 


REDUNDANCY SCREENS: 

A [ 2 ] 

B [ P ] 

C [ P ] 

LOCATION : AV BAY 

1,2 



PART NUMBER: MC 615- 

0005 



CAUSES: ELECTRICAL FAILURE 




EFFECTS/RATIONALE : 

IF BOTH MMUS FAIL, OPS 2 AND 3 SOFTWARE CANNOT BE LOADED. 

HOWEVER, OPS 3 CAN BE UPLINKED OR BFS ENGAGED FOR ENTRY. NEITHER 
OF THESE OPTIONS REQUIRE THE USE OF MMUS. 


REFERENCES 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

501 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: CIA 

FAILURE MODE: LOSS OF OUTPUT TO MAIN ENGINE ON ONE CHANNEL 


LEAD ANALYST: B. ROBB SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) ENGINE INTERFACE UNIT (EIU) 

3) CONTROLLER INTERFACE ADAPTER 

4 ) 

5 ) 

6 ) 

7 ) 

8) 

9 ) 


CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRE LAUNCH: 

3/2R 

RTLS : 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT: 

/NA 

AO A: 

3/1R 

DEORBIT: 

LANDING/SAFING: 

/NA 

/NA 

ATO: 

3/1R 

REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: AV BAY 4,5,6 

PART NUMBER: 


CAUSES: CONTROLLER INTERFACE ADAPTER FAILS 


EFFECTS/RATIONALE : 

LOSS OF THROTTLE COMMANDS, SHUTDOWN COMMANDS, LIMIT 
INHIBIT/ENABLE COMMANDS, GPC SHUTDOWN COMMANDS, AND MPS DUMP 
COMMANDS. LOSS OF ONE OF THREE COMMAND PATHS WILL BE VOTED 
INVALID. NO EFFECT ON ENGINE OPERATIONS. 


REFERENCES : 


C-81 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

502 


HIGHEST CRITICALITY 
FLIGHT: 
ABORT: 


HDW/FUNC 

3/1R 

3/1R 


ITEM: MIA 

FAILURE MODE: LOSS OF OUTPUT TO MAIN ENGINE ON ONE CHANNEL 

LEAD ANALYST: B. ROBB SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) ENGINE INTERFACE UNIT (EIU) 

3) MULTIPLEXER INTERFACE ADAPTER 

4) 

5) 

6 ) 

7) 

8 ) 

9) 


FLIGHT PHASE 
PRELAUNCH: 
LIFTOFF: 
ONORBIT : 

DE ORBIT: 
LANDING/SAFING 


CRITICALITIES 
HDW/FUNC ABORT 


3/2R 

3/1R 

/NA 

/NA 

/NA 


RTLS : 
TAL: 
AO A: 
ATO: 


HDW/FUNC 

3/1R 

3/1R 

3/1R 

3/1R 


REDUNDANCY SCREENS: A [ 1 ] B[P] C[P] 

LOCATION: AV BAY 4,5,6 

PART NUMBER: 


CAUSES: MULTIPLEXER INTERFACE ADAPTER” FAILS 


EFFECTS/RATIONALE : _____ 

LOSS OF THROTTLE COMMANDS, SHUTDOWN COMMANDS, LIMIT 
INHIBIT/ENABLE COMMANDS, GPC SHUTDOWN COMMANDS, AND MPS DUMP 
COMMANDS . LOSS OF ONE OF THREE COMMAND PATHS WILL BE VOTED 
INVALID. NO EFFECT ON ENGINE OPERATIONS. 


REFERENCES : 


C-82 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

503 


HIGHEST CRITICALITY 
FLIGHT : 
ABORT: 


HDW/FUNC 

3/1R 

3/1R 


ITEM: POWER CONTROL SWITCH 

FAILURE MODE: LOSS OF OUTPUT TO MAIN ENGINE ON ANY OF THREE 

COMMAND CHANNELS 


LEAD ANALYST: B. ROBB 


SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) ENGINE INTERFACE UNIT 

3) POWER CONTROL SWITCH 

4) 

5) 

6 ) 

7) 

8 ) 

9) 


(EIU) 


FLIGHT PHASE 
PRELAUNCH: 
LIFTOFF : 
ONORBIT: 
DEORBIT: 
LANDING/ SAFING 


CRITICALITIES 
HDW/FUNC ABORT 


3/2R 

3/1R 

/NA 

/NA 

/NA 


RTLS: 

TAL: 

AOA: 

ATO: 


HDW/FUNC 

3/1R 

3/1R 

3/1R 

3/1R 


REDUNDANCY SCREENS: A [ 1 ] B [ P 


C [ P ] 


LOCATION: AV BAY 4,5,6 

PART NUMBER: 


CAUSES: EIU POWER CONTROL SWITCH FAILS OPEN 


EFFECTS/RATIONALE : 

LOSS OF ALL COMMANDS AND STATUS OF THE ENGINE FOR THIS FAILURE 
MODE THE LOSS OF THE ENTIRE EIU WILL RESULT IN ENGINE SHUTDOWN BY 
CREW BY SWITCHING AC POWER TO THE ENGINE TO OFF POSITION. 


REFERENCES : 


C-83 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

504 


HIGHEST CRITICALITY 
FLIGHT: 
ABORT: 


HDW/FUNC 

3/1R 

3/1R 


ITEM: INTERNAL POWER SUPPLIES 

FAILURE MODE: LOSS OF OUTPUT TO MAIN ENGINE ON ANY OF THREE 

COMMAND CHANNELS 


LEAD ANALYST: B. ROBB 


SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) ENGINE INTERFACE UNIT (EIU) 

3) INTERNAL POWER SUPPLIES 

4) 

5) 

6) 

7) 

8) 

9) 


CRITICALITIES 


FLIGHT PHASE 

HDW/FUNC 

ABORT 

HDW/FUNC 

PRE LAUNCH: 

3/2R 

RTLS : 

3/1R 

LIFTOFF: 

3/1R 

TAL: 

3/1R 

ONORBIT : 

/NA 

AOA: 

3/1R 

DEORBIT : 

/NA 

ATO: 

3/1R 

LANDING/SAFING 

: /NA 



REDUNDANCY SCREENS: 

A [ 1 ] 

B [ P ] 

C [ P ] 


LOCATION: AV BAY 4,5,6 

PART NUMBER: 


i 


a 


CAUSES: INTERNAL POWER SUPPLIES FAIL 


EFFECTS/RATIONALE : 

LOSS OF THROTTLE COMMANDS, SHUTDOWN COMMANDS, LIMIT 
INHIBIT/ENABLE COMMANDS, GPC SHUTDOWN COMMANDS, AND MPS DUMP 
COMMANDS. THE LOSS OF THE ENTIRE EIU WILL RESULT IN ENGINE 
SHUTDOWN BY CREW BY SWITCHING AC POWER TO THE ENGINE TO OFF 
POSITION. 

REFERENCES : 


C-84 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

505 


HIGHEST CRITICALITY HDW/FUNC 
FLIGHT: 3/1R 

ABORT: 3/1R 


ITEM: CONTROLLER INTERFACE ADAPTER 

FAILURE MODE: LOSS OF OUTPUT TO ONE OR THREE GPC ON STATUS OF 

ENGINES . 


LEAD ANALYST: B. ROBB SUBSYS LEAD: B. ROBB 

BREAKDOWN HIERARCHY: 


1) 

DPS 




2) 

ENGINE INTERFACE 

UNIT (EIU) 



3) 

CONTROLLER INTERFACE ADAPTER 



4) 





5) 





6) 





7) 





8) 





9) 


CRITICALITIES 




FLIGHT PHASE 

HDW/FUNC ABORT 

HDW/FUNC 


PRE LAUNCH: 

3/2R 

RTLS : 

3/1R 


LIFTOFF: 

3/1R 

TAL: 

3/1R 


ONORBIT : 

/NA 

AOA: 

3/1R 


DEORBIT: 

/NA 

ATO: 

3/1R 


LANDING/SAFING 

: /NA 



REDUNDANCY SCREENS: 

A [ 1 ] B [ P 

3 

C [ P ] 


LOCATION: AV BAY 4,5,6 

PART NUMBER: 


CAUSES: CONTROLLER INTERFACE ADAPTER FAILURE 


EFFECTS/RATIONALE : 

NO MAIN ENGINE MONITORING BY ONE OR THREE OF FOUR GPCS . MCC 
CONFIRMS COMMAND PATH GOOD BY MONITORING 3-G THROTTLE CONTROL. 

IF ENGINE IS NOT OPERATING, THE PUSHBUTTON FOR THE ENGINE MUST BE 
USED TO INFORM GUIDANCE FOR PREVALVE CLOSURES. FLIGHT RULE 2-17 
PRECLUDES RESTRINGING DURING POWERED ASCENT THROUGH MECO. 


REFERENCES : 


C-85 



INDEPENDENT ORBITER ASSESSMENT 
ORBITER SUBSYSTEM ANALYSIS WORKSHEET 


DATE: 

SUBSYSTEM: 
MDAC ID: 


10/03/86 

DPS 

506 


HIGHEST CRITICALITY 
FLIGHT : 
ABORT : 


HDW/FUNC 

3/3 

3/1R 


ITEM: OIE 

FAILURE MODE: LOSS OF OUTPUT TO S-BAND, MAINTENANCE RECORDER, OR 

LPS T-0 UMBILICAL 


LEAD ANALYST: B. ROBB 


SUBSYS LEAD: B. ROBB 


BREAKDOWN HIERARCHY: 

1) DPS 

2) ENGINE INTERFACE UNIT (EIU) 

3) OPERATIONAL INTERFACE ELEMENT 

4) 

5) 

6 ) 

7) 

8 ) 

9) 


CRITICALITIES 


FLIGHT PHASE 
PRELAUNCH: 
LIFTOFF: 

ONORBIT : 

DEORBIT : 
LANDING/SAFING: 


HDW/FUNC 

3/2R 

3/3 

/NA 

/NA 

/NA 


ABORT 

RTLS: 

TAL: 

AOA: 

ATO: 


HDW/FUNC 

3/1R 

3/1R 

3/1R 

3/1R 


REDUNDANCY SCREENS: 


A [ 1 ] 


B [ P ] 


C [ P ] 


LOCATION: AV BAY 4,5,6 

PART NUMBER: 


CAUSES: OPERATIONAL INTERFACE ELEMENT FAILURE 


EFFECTS/RATIONALE: 

NO FM DATA RECORDING, NO MCC STATUS MONITORING OF ENGINE EXCEPT 
IN DOWNLIST DATA FROM GPC. 


REFERENCES : 


C-86 


APPENDIX D 

POTENTIAL CRITICAL ITEMS 



MDAC ID 

ITEM 

FAILURE MODE 

_ . 

203 

IOP 

Premature Operation 

* s 

208 

CPU 

Inadvertent Operation 


D-l 





